WO2014112523A1 - Decryption-service provision device, processing device, safety evaluation device, program, and recording medium - Google Patents

Decryption-service provision device, processing device, safety evaluation device, program, and recording medium Download PDF

Info

Publication number
WO2014112523A1
WO2014112523A1 PCT/JP2014/050574 JP2014050574W WO2014112523A1 WO 2014112523 A1 WO2014112523 A1 WO 2014112523A1 JP 2014050574 W JP2014050574 W JP 2014050574W WO 2014112523 A1 WO2014112523 A1 WO 2014112523A1
Authority
WO
WIPO (PCT)
Prior art keywords
decryption
ciphertext
semigroup
result
service providing
Prior art date
Application number
PCT/JP2014/050574
Other languages
French (fr)
Japanese (ja)
Inventor
鉄太郎 小林
山本 剛
仁 冨士
具英 山本
麗生 吉田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to EP14741137.5A priority Critical patent/EP2947813B1/en
Priority to US14/760,636 priority patent/US9735963B2/en
Priority to CN201480005006.6A priority patent/CN104919753B/en
Priority to JP2014557480A priority patent/JP6006809B2/en
Publication of WO2014112523A1 publication Critical patent/WO2014112523A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems

Definitions

  • the present invention relates to information security technology, and more particularly to key management technology for restricting the parties who can use encrypted information after decryption.
  • Non-Patent Document 1 a method of directly calculating a plaintext from a ciphertext using a key for decrypting the cipher is adopted (for example, see Non-Patent Document 1).
  • a method is conceived in which the server device provides a decryption service in response to a request from the parties held inside the reliable server device.
  • Such a method is called cloud key management type encryption.
  • the key for decrypting the cipher is not passed directly to the user, so it is expected that the user can stop using the encrypted data by stopping the decryption service. ing.
  • the user can repeatedly use the decryption service to gain the ability to decrypt the cipher, and the user can encrypt even if the decryption service is stopped. There is a possibility that it is not possible to stop using the data.
  • Such a cloud key management type encryption has a problem in security.
  • the present invention has been made in view of these points, and an object thereof is to provide a technique for improving the security of cloud key management type encryption.
  • a secret key conforming to the ElGamal cipher on the semi-group where calculation of the original order is difficult in terms of calculation is held, information corresponding to the ciphertext conforming to the ElGamal cipher is input, and the secret key s is The information corresponding to the ciphertext is decrypted in accordance with the ElGamal encryption method, and the information corresponding to the decryption result of the ciphertext is obtained and output.
  • FIG. 1 is a block diagram for explaining the configuration of the security system of the first embodiment.
  • FIG. 2 is a flowchart for explaining the decryption service providing process of the first embodiment.
  • FIG. 3 is a block diagram for explaining the configuration of the security system of the second embodiment.
  • FIG. 4 is a flowchart for explaining the safety evaluation process of the second embodiment.
  • FIG. 5 is a block diagram for explaining the configuration of the security system of the third embodiment.
  • FIG. 6 is a block diagram for explaining the configuration of the processing apparatus of the third embodiment.
  • FIG. 7 is a block diagram for explaining the configuration of the decryption service providing apparatus according to the third embodiment.
  • FIG. 8 is a flowchart for explaining the processing of the processing apparatus of the third embodiment.
  • FIG. 9 is a flowchart for explaining the processing of the decryption service providing apparatus according to the third embodiment.
  • a key is held in a reliable decryption service providing apparatus, and the decryption service providing apparatus provides a decryption service in response to a request from a related party (cloud key management type encryption).
  • a half group for example, a commutative semigroup or a finite commutative semigroup
  • decryption employing ElGamal encryption on the semigroup H as an encryption method. Use services. The reason why the decryption service is secure will be described below.
  • r ⁇ Z q is a random number determined in the encryption process
  • Z q is a residue group by q
  • q is the order of a semigroup H (a positive integer, for example, a prime number)
  • ⁇ H is ⁇ This represents an element of the semigroup H
  • “ ⁇ ” represents an operation defined in the semigroup H.
  • the decryption service device using the ElGamal cipher securely holds the secret key s and decrypts the ciphertext (c 1 , c 2 ) each time the user inputs the ciphertext (c 1 , c 2 ).
  • the decoding result m ′ is output.
  • the decryption service device determines whether or not to perform the decryption service to the user by using the authentication database that identifies the user by the authentication means and stores the user who can receive the decryption service properly. May output the decoding result.
  • a polynomial time probabilistic algorithm B which is an attacker trying to extract the secret key s using a decryption service device using ElGamal encryption, is formulated.
  • Input to the service device to obtain the decryption result w (i) c 1 (i) ⁇ c 2 (i) s .
  • An arbitrary polynomial time probabilistic algorithm A that is an attacker can calculate the order of the element g of the semigroup H using B by the following method.
  • k is a positive integer security parameter. 1.
  • A Assuming that the element of the half group H is expressed by L bits at most, A selects a bit string ⁇ that is sufficiently longer than L, and uses ⁇ as a binary number as a secret key s.
  • A outputs the order n of the element g except for a negligible probability of at most O (2 ⁇ k ) (O-notation).
  • O-notation O-notation
  • the order of the element g of the semigroup H can be calculated. If this kinematic pair is also true and it is difficult to calculate the order of the element g of the semigroup H, it is difficult to perform the above-described attack on the decryption service device using the ElGamal encryption.
  • a normal elliptic curve is formed on the body, but when the calculation rule is formally applied to the ring R, the coupling rule is established as in the case of the elliptic curve, and a semigroup is formed.
  • H a random element extracted from H becomes a reversible element with a very high probability.
  • calculating the order of the element g is as difficult as calculating the prime factorization of N (this detail is described, for example, in the following document) : Lenstra Jr., H. W., “Factoring integers with elliptic curves,” Annals of Mathematics 126 (3): 649-673, 1987.).
  • a semigroup in which calculation of the original order is difficult for example, a semigroup composed of points (rational points) on the elliptic curve on the ring R can be used.
  • the semigroup in which the original order is difficult to calculate is, for example, a semigroup in which it is difficult to calculate the original order in order to solve the factorization problem.
  • a certain calculation or problem is “difficult” means that the calculation result or solution cannot be obtained within the polynomial time. That is, “a semigroup in which calculation of the original order is difficult in terms of computational complexity” means, for example, a semigroup in which the original order cannot be calculated in polynomial time.
  • the “semigroup in which the calculation of the original order is difficult in terms of computational complexity” may be one in which an inverse element exists or one in which an inverse element does not exist. Further, the “semigroup in which calculation of the original order is difficult in terms of calculation amount” may be, for example, a monoid (a semigroup having a unit element). “Polynomial time” means, for example, time (calculation time) that can be expressed by a polynomial of the size (length) of the secret key s.
  • polynomial time means, for example, a time (calculation time) that can be expressed by an arbitrary polynomial for ⁇ , where ⁇ is the length (eg, bit length) of the secret key s. “Easy” means not difficult.
  • a decryption service uses a semigroup (commutative semigroup) H in which calculation of the order of the element g is difficult in terms of computational complexity and adopts an ElGamal cipher on the semigroup H as an encryption method.
  • “information corresponding to the ciphertext conforming to the ElGamal encryption scheme” is a ciphertext conforming to the ElGamal encryption scheme
  • “information corresponding to the decryption result of the ciphertext” is the decryption result of the ciphertext.
  • the security system 1 of this embodiment includes an encryption device 11, a processing device 12, and a decryption service providing device 13.
  • the encryption device 11 is configured to be able to provide information to the processing device 12 via a network, a portable recording medium, or the like.
  • the processing device 12 and the decryption service providing device 13 are configured to exchange information with each other via a network, a portable recording medium, or the like.
  • the encryption device 11 includes a storage unit 111, an input unit 112, an encryption unit 113, and an output unit 114.
  • the processing device 12 includes an input unit 121, a processing unit 122, an output unit 123, and an input unit 124.
  • the decryption service providing apparatus 13 includes a storage unit 131, an input unit 132, a decryption unit 133, and an output unit 134.
  • Each of the encryption device 11, the processing device 12, and the decryption service providing device 13 is configured such that a predetermined program is read into a general-purpose or dedicated computer including a CPU (central processing unit), a RAM (random-access memory), and the like. Special equipment.
  • the encryption device 11, the processing device 12, and the decryption service providing device 13 execute each process under the control of each control unit (not shown). Data obtained by each unit is stored in a temporary memory (not shown), and is read by each unit as necessary.
  • the semigroup H in which the calculation of the order of the element g is difficult in terms of computational complexity and the system parameters including the element g are set in the encryption device 11 and the decryption service device 13.
  • a secret key s ⁇ Z q according to the ElGamal encryption scheme on the semi-group H is selected at random and stored securely in the storage unit 131 of the decryption service providing apparatus 13.
  • the public key y g s ⁇ H conforming to ElGamal encryption scheme on the half-group H are generated and stored in the storage unit 111 of the encryption device 11.
  • plaintext m ⁇ H is input to the input unit 112 of the encryption device 11 and sent to the encryption unit 113 (step S101).
  • the output unit 114 outputs the ciphertext (c 1 , c 2 ).
  • the ciphertext (c 1 , c 2 ) is input to the processing device 12 via the input unit 121 and sent to the processing unit 122. (Step S104).
  • the processing unit 122 generates decryption request information including the ciphertext (c 1 , c 2 ) and outputs it from the output unit 123 (step S105).
  • the decryption request information including the ciphertext (c 1 , c 2 ) is input to the input unit 132 of the decryption service providing device 13, and the ciphertext (c 1 , c 2 ) is sent to the decryption unit 133 (step S 106).
  • the output unit 134 outputs response information including the decoding result m ′ (step S109).
  • the response information is input to the processing device 12 and sent to the processing unit 122.
  • the decryption service is provided by using the decryption service providing apparatus 13 that employs the ElGamal cipher on the semi-group H that is considered difficult to calculate the order of the element g.
  • the decryption service provides apparatus 13 that employs the ElGamal cipher on the semi-group H that is considered difficult to calculate the order of the element g.
  • the decryption operation service even if the user repeatedly uses the decryption operation service, it can be proved that it is difficult to obtain the secret key, and it is guaranteed that the secret key is not leaked in principle.
  • a generally secure encryption method cannot acquire a decryption capability without obtaining a secret key. Therefore, when performing the control to revoke permission after allowing the decryption operation service to the user, the user is encrypted after the use of the service is revoked no matter what behavior the user assumes. It can be said that the document cannot be decrypted.
  • the security of the decoding service is evaluated by determining the computational difficulty or ease of calculating the order of the element g of the semigroup H used for the decoding service.
  • the security of the decryption service can be evaluated.
  • the security of such a decryption service may be evaluated at the time of setting the system parameter, or may be performed on a decryption service that has already been provided.
  • a mode in which the security of the decryption service is evaluated at the time of setting the system parameters, and the system parameters are reset when it is determined that the security is low will be described.
  • “information corresponding to the ciphertext conforming to the ElGamal encryption scheme” is a ciphertext conforming to the ElGamal encryption scheme
  • “information corresponding to the decryption result of the ciphertext” is the decryption result of the ciphertext.
  • the security system 2 of this embodiment includes an encryption device 11, a processing device 12, a decryption service providing device 13, a setting device 24, and a safety evaluation device 25.
  • the setting device 24 is configured to be able to provide information to the encryption device 11 and the decryption service providing device 13 via a network or a portable recording medium.
  • the setting device 24 and the safety evaluation device 25 are configured to exchange information with each other via a network, a portable recording medium, or the like.
  • the setting device 24 and the safety evaluation device 25 are special devices configured by reading a predetermined program into a general-purpose or dedicated computer.
  • the safety evaluation device 25 includes a storage unit 251, an input unit 252, a determination unit 253, an evaluation unit 254, and an output unit 255.
  • the safety evaluation device 25 executes each process under the control of a control unit (not shown). Data obtained by each unit is stored in a temporary memory (not shown), and is read by each unit as necessary.
  • the setting device 24 in the parameter setting process, the setting device 24 generates a system parameter including a semigroup (for example, a commutative semigroup or a finite commutative semigroup) H and its element g (step S201). Information for specifying the generated semigroup H and element g is output (step S202).
  • a semigroup for example, a commutative semigroup or a finite commutative semigroup
  • the determination unit 253 determines the difficulty or ease of calculating the order of the original g of the semigroup H using the information stored in the storage unit 251. For example, when the half group that is considered difficult to calculate the original rank of the half group and the list of the original group are stored in the storage unit 251, the determination unit 253 determines whether the half group H of the determination target It is determined whether the element g is included in the list, and if included, it is determined that it is difficult to calculate the order of the element g of the semigroup H.
  • the determination unit 253 determines whether the half group H of the determination target It is determined whether the element g is included in the list, and if included, it is determined that it is easy to calculate the order of the element g of the semigroup H.
  • the determination unit 253 uses this algorithm to determine the element of the half group H to be determined. It is determined whether it is difficult to calculate the order of g, or whether it is easy to calculate the order of the original g of the half group H to be determined.
  • Step S204 For example, if the discrete logarithm problem in the half group H is solved within a predetermined processing time using a number field sieving method or a function field sieving method, the order of the element g of the half group H can be easily calculated. (Step S204).
  • the determination result output from the determination unit 253 is input to the evaluation unit 254, and the evaluation unit 254 evaluates the safety of the decryption service providing apparatus 13 based on the determination result. That is, when the determination unit 253 determines that it is difficult to calculate the original order or it is not determined that the original order is easy to calculate, the evaluation unit 254 provides the decoding service. An evaluation result (acc) indicating that the safety of the device 13 is high is output (step S205). On the other hand, if the determination unit 253 does not determine that it is difficult to calculate the original order, or if it is determined that it is easy to calculate the original order, the evaluation unit 254 determines that the decoding service providing apparatus The evaluation result (rej) indicating that the safety of 13 is low is output (step S206).
  • the evaluation result output from the evaluation unit 254 is input to the setting device 24.
  • the setting device 24 determines whether the evaluation result indicates that the safety is high (step S208). When the evaluation result indicates that the safety is low (rej), the process returns to step S201. If the evaluation result indicates that the safety is high (acc), the setting device 24 outputs the system parameters including the semigroup H and its element g, and sets the system parameters in the encryption device 11 and the decryption service providing device 13 (step) S209).
  • a decoding service is performed using a self-correction technique using a semi-group in which calculation of the original order is difficult in terms of computational complexity.
  • the self-correction technique are disclosed in, for example, Reference 1 (International Publication WO / 2011/086992), Reference 2 (International Publication WO / 2012/077134), and the like. Below, it demonstrates centering on difference with 1st Embodiment.
  • the security system 3 includes, for example, the encryption device 11 described above, a processing device 321 that does not hold a secret key, and a secret key that conforms to the ElGamal encryption method described above.
  • the decryption service providing apparatus 332 the processing apparatus 321 requests the decryption service providing apparatus 332 to provide the decryption capability of the ciphertext, and the ciphertext is transmitted using the decryption capability provided from the decryption service providing apparatus 332. Is decrypted.
  • the processing device 321 and the decryption service providing device 332 are configured to exchange information.
  • the processing device 321 and the decryption service providing device 332 can exchange information via a transmission line, a network, a portable recording medium, or the like.
  • the processing device 321 includes, for example, an integer selection unit 2102, an input information providing unit 2104, a first calculation unit 2105, a first power calculation unit 2106, and a first list storage unit 2107.
  • Examples of the processing device 321 include a device having a calculation function and a storage function such as a card reader / writer device or a mobile phone, a CPU (central processing unit) or a RAM (random-access memory) loaded with a special program. It is a known or dedicated computer provided.
  • the decryption service providing apparatus 332 includes, for example, a first output information calculation unit 2201 (decryption unit), a second output information calculation unit 2202 (decryption unit), and a key storage unit 2204. (Storage unit), control unit 2205, input unit 3132, and output unit 3134.
  • the example of the decryption service providing apparatus 332 includes a tamper-resistant module such as an IC card or an IC chip, a device such as a mobile phone having a calculation function and a storage function, and a CPU or RAM into which a special program is read. Or a known or dedicated computer.
  • the generation functions of the semigroups G and H are ⁇ g and ⁇ h
  • X 1 and X 2 are random variables having values in the semigroup G
  • the realization value of the random variable X 1 is x 1
  • Each process of the processing device 321 is executed under the control of the control unit 2113, and each process of the decryption service providing device
  • the integer selection unit 2102 of the processing device 321 selects integers a, b, a ′, and b ′ (step S2101).
  • a and b are relatively prime natural numbers.
  • a and b are selected at random, for example.
  • Information on at least part of the integers a and b is sent to the input information providing unit 2104, the first power calculation unit 2106, and the second power calculation unit 2109.
  • Information on the integers a, b, a ′, and b ′ is sent to the final output unit 2112.
  • the input information providing unit 2104 receives the first input information ⁇ 1 and the second input information ⁇ 2 (in the ciphertext x) that are elements of the half group H corresponding to the input ciphertext x in accordance with the ElGamal encryption method. Corresponding information) is generated and output (step S2103).
  • the first input information ⁇ 1 and the second input information ⁇ 2 are information that disturbs the relationship with the ciphertext x.
  • the processing device 321 can conceal the ciphertext x from the decryption service providing device 332.
  • the first input information ⁇ 1 of this embodiment further corresponds to the integer b selected by the integer selector 2102
  • the second input information ⁇ 2 further corresponds to the integer a selected by the integer selector 2102.
  • the processing device 321 can evaluate the decoding capability provided from the decoding service providing device 332 with high accuracy.
  • ⁇ 1 and ⁇ 2 are exemplified in Reference Documents 1 and 2, for example.
  • x (c 1 , c 2 )
  • (V, W) is an element of the group H
  • f (V, W) Y
  • r 4 to r 7 are natural numbers of 0 or more.
  • the first input information ⁇ 1 is input to the input unit 3132 of the decryption service providing apparatus 332 (FIG. 7) and is input from there to the first output information calculation unit 2201.
  • the second input information ⁇ 2 is input to the input unit 3132 and from there to the second output information calculation unit 2202 (step S2200).
  • the first output information calculation unit 2201 uses the first input information ⁇ 1 and the secret key s stored in the key storage unit 2204 to correctly calculate f ( ⁇ 1 ) with a probability larger than a certain probability.
  • the calculated result is defined as first output information z 1 . That is, the first output information calculation unit 2201 can correctly calculate f ( ⁇ 1 ) using the first input information ⁇ 1 and the secret key s stored in the key storage unit 2204, and the obtained calculation result Is the first output information z 1 (step S2201).
  • the second output information calculation unit 2202 uses the second input information ⁇ 2 and the secret key s stored in the key storage unit 1204 to correctly calculate f ( ⁇ 2 ) with a probability greater than a certain probability. the calculation result as the second output information z 2.
  • the second output information calculation unit 2202 can correctly calculate f ( ⁇ 2 ) using the second input information ⁇ 2 and the secret key s stored in the key storage unit 1204, and the obtained calculation result Is the second output information z 2 (step S2202). That is, the first output information calculation unit 2201 and the second output information calculation unit 2202 output a calculation result including an intentional or unintentional error. In other words, also when the calculation result in the first output information calculation section 2201 is not f Some cases of ( ⁇ 1) f ( ⁇ 1 ), the calculation result of the second output information calculation unit 2202 f (tau 2 ) and not f ( ⁇ 2 ). “Computable” means that the calculation can be performed with a probability higher than the probability that cannot be ignored. The probability that cannot be ignored is a probability of 1 / F (k) or more, assuming that a polynomial that is a broad monotone function for the security parameter k is a polynomial F (k).
  • the first output information calculation unit 2201 outputs the first output information z 1
  • the second output information calculation unit 2202 outputs the second output information z 2
  • the output unit 3134 outputs the first output information z 1 and the second output information z 1 .
  • Output information z 2 (information corresponding to the decryption result of the ciphertext x) is output (step S2203).
  • the first output information z 1 is input to the first calculation unit 2105 of the processing device 321 (FIG. 6), and the second output information z 2 is input to the second calculation unit 2108.
  • the first output information z 1 and the second output information z 2 correspond to the decryption capability given from the decryption service providing apparatus 332 to the processing apparatus 321 (step S2104).
  • the calculation result u is sent to the first power calculation unit 2106 (step S2105).
  • a set (u, u ′) of the calculation result u and u ′ calculated based on the calculation result is stored in the first list storage unit 2107 (step S2106).
  • the calculation result v is sent to the second power calculation unit 2109 (step S2108).
  • a set (v, v ′) of the calculation result v and v ′ calculated based on the calculation result is stored in the second list storage unit 2110 (step S2109).
  • the output (u b ′ v a ′ ) 1 / d becomes a decryption result f (x) of the ciphertext x with a high probability (see the references 1 and 2 for the reason, for example).
  • the above-described processing may be repeated a plurality of times, and the most frequently used value among the values obtained in step S2115 may be used as the decoding result.
  • d a′a + b′b may be calculated in step S2115.
  • the present invention is not limited to the embodiment described above.
  • the self-correction technique group of each embodiment such as JP2012-237881, JP2012-220835, JP2012-220814, and JP2012-151756 may be replaced with the above-mentioned semi-group.
  • the security system may further include a history storage device that stores a list including a list of users who have been provided with the decryption service by the decryption service providing device 13 and a decryption result. In the configuration of each embodiment, it is difficult to obtain a secret key even if the user repeatedly uses the decryption operation service.
  • all the decryption results obtained using the secret key are those output from the decryption service providing apparatus 13. Therefore, for example, when a decoding result leaks, information for tracking the leaked path can be obtained by verifying a list or log of users stored in the history storage device.
  • order of the Hangun H were the same q and order of the Z q.
  • the order of the half group H may be larger or smaller than q. Depending on the encryption method, the half group H may not be commutative.
  • a computer having a hardware processor such as a CPU or a memory such as a RAM
  • the processing contents of functions that each device should have are described by a program.
  • the program describing the processing contents can be recorded on a computer-readable recording medium.
  • An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.
  • This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
  • a computer that executes such a program first stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads a program stored in its own recording device and executes a process according to the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer. The processing according to the received program may be executed sequentially.
  • the above-described processing may be executed by a so-called ASP (Application Service Provider) type service that does not transfer a program from the server computer to the computer but implements a processing function only by the execution instruction and result acquisition. Good.
  • ASP Application Service Provider
  • the processing functions of the apparatus are realized by executing a predetermined program on a computer, but at least a part of these processing functions may be realized by dedicated or general-purpose hardware.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A secret key of a semigroup for which calculation of the original digits thereof is difficult with respect to computational complexity, said secret key being in accordance with the ElGamal encryption system, is stored, information corresponding to encrypted text in accordance with the ElGamal encryption system is inputted, a secret key (s) is used to decrypt the information corresponding to the encrypted text in accordance with the ElGamal encryption system, and information corresponding to the decryption result of the encrypted text is obtained and outputted. Furthermore, the degree of ease or the degree of difficulty with respect to the computational complexity of calculating the original digits of the semigroup is determined, and the safety of a decryption-service provision device is evaluated on the basis of the determination result.

Description

復号サービス提供装置、処理装置、安全性評価装置、プログラム、および記録媒体Decoding service providing apparatus, processing apparatus, safety evaluation apparatus, program, and recording medium
 本発明は、情報セキュリティ技術に関し、特に、暗号化された情報を復号して利用できる関係者を制限するための、鍵管理技術に関する。 The present invention relates to information security technology, and more particularly to key management technology for restricting the parties who can use encrypted information after decryption.
 現在一般的な技術で暗号化された情報を復号するためには、暗号を復号するための鍵を用いて、暗号文から平文を直接計算する方法を採る(例えば、非特許文献1参照)。 Currently, in order to decrypt information encrypted by a general technique, a method of directly calculating a plaintext from a ciphertext using a key for decrypting the cipher is adopted (for example, see Non-Patent Document 1).
 しかしながら、この方法では一度関係者に鍵を渡したあとで事情が変わり、その関係者についてその鍵による復号を禁止したいときに、暗号の復号禁止を強制することができない。 However, with this method, once the key has been handed over to the party concerned, the situation changes, and when it is desired to prohibit the party from decrypting with the key, it is not possible to force prohibition of decryption of the encryption.
 そこで、鍵を関係者に配る代わりに、信頼できるサーバ装置の内部に保持して、サーバ装置は関係者の要求に対して復号サービスを提供する方法が考えられている。そのような方法をクラウド鍵管理型暗号と呼ぶ。この方法では暗号を復号するための鍵を利用者に直接渡すことがないので、復号サービスを停止することで、利用者が暗号化されたデータを使用することを停止できるのではないかと期待されている。 Therefore, instead of distributing the key to the parties concerned, a method is conceived in which the server device provides a decryption service in response to a request from the parties held inside the reliable server device. Such a method is called cloud key management type encryption. In this method, the key for decrypting the cipher is not passed directly to the user, so it is expected that the user can stop using the encrypted data by stopping the decryption service. ing.
 鍵を内部に保持して復号サービスを提供する場合、暗号方式によっては利用者が復号サービスを繰り返し利用することで、暗号を復号する能力を獲得し、復号サービスを停止しても利用者が暗号化されたデータを利用することを止められない可能性がある。そのようなクラウド鍵管理型暗号は安全性に問題がある。 When providing a decryption service with the key held internally, depending on the encryption method, the user can repeatedly use the decryption service to gain the ability to decrypt the cipher, and the user can encrypt even if the decryption service is stopped. There is a possibility that it is not possible to stop using the data. Such a cloud key management type encryption has a problem in security.
 本発明はこのような点に鑑みてなされたものであり、クラウド鍵管理型暗号の安全性を向上させる技術を提供することを目的とする。 The present invention has been made in view of these points, and an object thereof is to provide a technique for improving the security of cloud key management type encryption.
 元の位数の算出が計算量的に困難な半群上のElGamal暗号方式に則った秘密鍵を保持し、当該ElGamal暗号方式に則った暗号文に対応する情報が入力され、秘密鍵sを用い、ElGamal暗号方式に則って暗号文に対応する情報を復号して、暗号文の復号結果に対応する情報を得て出力する。 A secret key conforming to the ElGamal cipher on the semi-group where calculation of the original order is difficult in terms of calculation is held, information corresponding to the ciphertext conforming to the ElGamal cipher is input, and the secret key s is The information corresponding to the ciphertext is decrypted in accordance with the ElGamal encryption method, and the information corresponding to the decryption result of the ciphertext is obtained and output.
 本発明を用いることで、利用者が復号サービスを繰り返し利用することで暗号を復号する能力を獲得することを抑制することができ、クラウド鍵管理型暗号の安全性を向上させることができる。 By using the present invention, it is possible to suppress the user from acquiring the ability to decrypt the cipher by repeatedly using the decryption service, and it is possible to improve the security of the cloud key management type cipher.
図1は、第1実施形態のセキュリティシステムの構成を説明するためのブロック図である。FIG. 1 is a block diagram for explaining the configuration of the security system of the first embodiment. 図2は、第1実施形態の復号サービス提供処理を説明するためのフロー図である。FIG. 2 is a flowchart for explaining the decryption service providing process of the first embodiment. 図3は、第2実施形態のセキュリティシステムの構成を説明するためのブロック図である。FIG. 3 is a block diagram for explaining the configuration of the security system of the second embodiment. 図4は、第2実施形態の安全性評価処理を説明するためのフロー図である。FIG. 4 is a flowchart for explaining the safety evaluation process of the second embodiment. 図5は、第3実施形態のセキュリティシステムの構成を説明するためのブロック図である。FIG. 5 is a block diagram for explaining the configuration of the security system of the third embodiment. 図6は、第3実施形態の処理装置の構成を説明するためのブロック図である。FIG. 6 is a block diagram for explaining the configuration of the processing apparatus of the third embodiment. 図7は、第3実施形態の復号サービス提供装置の構成を説明するためのブロック図である。FIG. 7 is a block diagram for explaining the configuration of the decryption service providing apparatus according to the third embodiment. 図8は、第3実施形態の処理装置の処理を説明するためのフロー図である。FIG. 8 is a flowchart for explaining the processing of the processing apparatus of the third embodiment. 図9は、第3実施形態の復号サービス提供装置の処理を説明するためのフロー図である。FIG. 9 is a flowchart for explaining the processing of the decryption service providing apparatus according to the third embodiment.
 本発明の実施形態を説明する。
 <原理>
 各実施形態に共通する原理を説明する。各実施形態では、信頼できる復号サービス提供装置の内部に鍵を保持し、復号サービス提供装置は関係者の要求に対して復号サービスを提供する(クラウド鍵管理型暗号)。ただし、元の位数の算出が計算量的に困難な半群(例えば、可換半群や有限可換半群)Hを用い、暗号方式として当該半群H上のElGamal暗号を採用した復号サービスを用いる。以下に当該復号サービスが安全である理由を述べる。 An embodiment of the present invention will be described.
<Principle>
The principle common to each embodiment will be described. In each embodiment, a key is held in a reliable decryption service providing apparatus, and the decryption service providing apparatus provides a decryption service in response to a request from a related party (cloud key management type encryption). However, a half group (for example, a commutative semigroup or a finite commutative semigroup) H in which calculation of the original order is difficult in terms of calculation is used, and decryption employing ElGamal encryption on the semigroup H as an encryption method. Use services. The reason why the decryption service is secure will be described below.
 [ElGamal暗号方式]
 次に半群H上のElGamal暗号について説明する。ElGamal暗号は、半群Hのある可逆元をg∈Hとし、ランダムに選ばれた秘密鍵s∈Zについて、公開鍵をy=g-s∈Hとする暗号方式であり、平文m∈gの暗号文は(c,c)=(m・y,g)∈Hで与えられる。r∈Zは暗号化の過程で決められる乱数であり、Zはqによる剰余群であり、qは半群Hの位数(正整数、例えば素数)であり、β∈Hはβが半群Hの元であることを表し、「・」は半群Hで定義された演算を表す。暗号文(c,c)を復号するためには、秘密鍵sを用いてm’=c・c ∈Hを計算すればよい。 [ElGamal encryption method]
Next, the ElGamal encryption on the semigroup H will be described. The ElGamal cipher is an encryption scheme in which a reversible element of a semigroup H is gεH, and a secret key sεZ q selected at random is a public key y = g −s εH. The ciphertext of g is given by (c 1 , c 2 ) = (m · y r , g r ) ∈H 2 . rεZ q is a random number determined in the encryption process, Z q is a residue group by q, q is the order of a semigroup H (a positive integer, for example, a prime number), βεH is β This represents an element of the semigroup H, and “·” represents an operation defined in the semigroup H. In order to decrypt the ciphertext (c 1 , c 2 ), m ′ = c 1 · c 2 s εH may be calculated using the secret key s.
 ElGamal暗号を用いた復号サービス装置は、秘密鍵sを安全に保持し、利用者が暗号文(c,c)を入力するたびに、その暗号文(c,c)を復号して復号結果m’を出力する。このとき、復号サービス装置は、認証手段で利用者を特定し、復号サービスを正当に受けることができる利用者を記憶した認証データベースを用いて、利用者に復号サービスを行うかどうかを判定してから復号結果を出力しても良い。 The decryption service device using the ElGamal cipher securely holds the secret key s and decrypts the ciphertext (c 1 , c 2 ) each time the user inputs the ciphertext (c 1 , c 2 ). The decoding result m ′ is output. At this time, the decryption service device determines whether or not to perform the decryption service to the user by using the authentication database that identifies the user by the authentication means and stores the user who can receive the decryption service properly. May output the decoding result.
 [ElGamal暗号を用いた復号サービス装置に対する攻撃]
 ElGamal暗号を用いた復号サービス装置を利用して秘密鍵sを抽出しようとする攻撃者である多項式時間確率的アルゴリズムBを定式化する。与えられた公開鍵y=g-sについて、Bは次の通り攻撃を行う。
1.Bはi=1,2,3,...,u(ただしuは正整数)について暗号文c(i)=(c(i),c(i))を生成し、それぞれを復号サービス装置に入力し、復号結果w(i)=c(i)・c(i)を得る。
2.Bはc(i)およびw(i)の情報を用いながら計算し、y=g-αとなるα∈Zを出力する。 [Attack on decryption service device using ElGamal encryption]
A polynomial time probabilistic algorithm B, which is an attacker trying to extract the secret key s using a decryption service device using ElGamal encryption, is formulated. For the given public key y = g- s , B attacks as follows.
1. B generates ciphertext c (i) = (c 1 (i), c 2 (i)) for i = 1, 2, 3,..., U (where u is a positive integer), and decrypts each. Input to the service device to obtain the decryption result w (i) = c 1 (i) · c 2 (i) s .
2. B is calculated using the information of c (i) and w (i), and outputs α∈Z q where y = g −α .
 仮に上記攻撃に成功するBが存在するとする。攻撃者である任意の多項式時間確率的アルゴリズムAは、次の方法によってBを用いて半群Hの元gの位数を計算できる。ただし、kは正整数のセキュリティパラメータである。
1.Aはi=1,2,3,...,3kについて次を実行してβを得る。
(a)半群Hの元がたかだかLビットで表現されているとして、AはLよりも十分長いビット列λをランダムに選び、λを2進数として解釈した値を秘密鍵sとする。
(b)Aはy=g-sを計算し、それを公開鍵とする。
(c)AはBを用いてy=g-αとなるαを得る。途中でBから復号要求があれば、Aはsを用いて復号してBに与える。
(d)Aはβ=s-αとする。
2.Aは、β,β,...,β3kの最大公約数を計算する。 Suppose B exists that succeeds in the attack. An arbitrary polynomial time probabilistic algorithm A that is an attacker can calculate the order of the element g of the semigroup H using B by the following method. Here, k is a positive integer security parameter.
1. A performs the following for i = 1, 2, 3,..., 3k to obtain β i .
(A) Assuming that the element of the half group H is expressed by L bits at most, A selects a bit string λ that is sufficiently longer than L, and uses λ as a binary number as a secret key s.
(B) A calculates y = g −s and uses it as the public key.
(C) A uses B to obtain α such that y = g −α . If there is a decryption request from B on the way, A decrypts it using s and gives it to B.
(D) Let A be β i = s−α.
2. A calculates the greatest common divisor of β 1 , β 2 ,..., Β 3k .
 Aは、たかだかO(2-k)程度(O-記法)の無視できる確率を除いて、元gの位数nを出力する。以下にその理由を説明する。y=g-s=g-αなので、各iについてgβi=1である(上付き添え字のβiはβを表す)。よってβは半群Hの元gの位数nの整数倍である。sはランダムに選ばれているので、β=nrとなる整数rはランダムである。r,r,...,r3kの最大公約数が1にならない確率は、リーマンのゼータ関数を用いて評価することができて、たかだかO(2-k)以下であることを証明できる(この証明はたとえば次の文献に書かれている:山本剛,小林鉄太郎,「準同型写像に対する自己訂正について」,数論応用,SCIS2010)。よって、β,β,...,β3kの最大公約数は元gの位数nとなる。このように、ElGamal暗号を用いた復号サービス装置に対する上述の攻撃が成功するのであれば、半群Hの元gの位数を計算できる。この対偶も真であり、半群Hの元gの位数を算出することが困難なのであれば、ElGamal暗号を用いた復号サービス装置に対する上述の攻撃を行うことも困難である。 A outputs the order n of the element g except for a negligible probability of at most O (2 −k ) (O-notation). The reason will be described below. Since y = g −s = g −α , g βi = 1 for each i (the superscript βi represents β i ). Therefore, β i is an integral multiple of the order n of the element g of the half group H. Since s is chosen at random, integer r i to be the β i = nr i is random. The probability that the greatest common divisor of r 1 , r 2 ,..., r 3k is not 1 can be evaluated using the Riemann zeta function and proves that it is at most O (2 −k ) or less. (This proof can be found, for example, in the following literature: Takeshi Yamamoto and Tetsutaro Kobayashi, “On Self-correction for Homomorphisms, Arithmetic Applications, SCIS2010) Therefore, the greatest common divisor of β 1 , β 2 ,..., Β 3k is the order n of the element g. Thus, if the above-described attack on the decryption service device using the ElGamal encryption is successful, the order of the element g of the semigroup H can be calculated. If this kinematic pair is also true and it is difficult to calculate the order of the element g of the semigroup H, it is difficult to perform the above-described attack on the decryption service device using the ElGamal encryption.
 元の位数の計算が困難な半群には、例えば次の例がある。Nを素因数分解が困難な数として、剰余環R=Z/NZを考える。Rの乗法群の元の位数を計算することは、Nを素因数分解することと同等に困難であることが知られている(この証明はたとえば次の文献に書かれている:G. Miller, “Riemann’s hypothesis and tests for primality,”Journal of Computer Systems Science, vol.13, pp.300-317, 1976.)。すなわち、元の位数の計算が困難な半群として、例えば、Nを法とした剰余環R=Z/NZの乗法群を用いることができる。また別の例としては、上記の環R上の楕円曲線がある。通常の楕円曲線は体の上で構成されるが、その演算規則を形式的に環R上に適用すると、楕円曲線と同様に結合法則が成り立ち、半群が構成される。これをHとして用いると、Hから抽出したランダムな元は非常に高い確率で可逆元となる。これを元gとして用いるとき、元gの位数を計算することはNの素因数分解を計算することと同等に困難であることが分かっている(この詳細はたとえば次の文献に書かれている:Lenstra Jr., H. W., “Factoring integers with elliptic curves,” Annals of Mathematics 126 (3): 649-673, 1987.)。すなわち、元の位数の計算が困難な半群として、例えば、上記の環R上の楕円曲線上の点(有理点)からなる半群を用いることができる。元の位数の計算が困難な半群は、例えば、因数分解問題を解くために元の位数の計算を行うことが困難な半群である。ある計算や問題が「困難」であるとは、多項式時間内にその計算結果や解を得ることができないことを意味する。すなわち、「元の位数の算出が計算量的に困難な半群」とは、例えば、多項式時間内に元の位数の算出を行うことができない半群を意味する。「元の位数の算出が計算量的に困難な半群」は、逆元が存在するものであってもよいし、逆元が存在しないものであってもよい。また、「元の位数の算出が計算量的に困難な半群」は、例えば、モノイド(単位元を持つ半群)であってもよい。「多項式時間」とは、例えば、秘密鍵sのサイズ(長さ)の多項式で表現可能な時間(計算時間)を意味する。言い換えると、「多項式時間」とは、例えば、秘密鍵sの長さ(例えばビット長)をχとした場合のχについての任意の多項式で表現可能な時間(計算時間)を意味する。「容易」とは困難でないことを意味する。 The following are examples of semigroups where the original order is difficult to calculate. Consider the remainder ring R = Z / NZ, where N is a number that is difficult to prime. It is known that computing the original order of the multiplicative group of R is as difficult as factoring N (this proof is for example written in: G. Miller , “Riemann's hypothesis and tests for primality,” Journal of Computer Systems Science, vol.13, pp.300-317, 1976.). That is, for example, a multiplicative group of a remainder ring R = Z / NZ modulo N can be used as a semi-group in which calculation of the original order is difficult. Another example is an elliptic curve on the ring R described above. A normal elliptic curve is formed on the body, but when the calculation rule is formally applied to the ring R, the coupling rule is established as in the case of the elliptic curve, and a semigroup is formed. When this is used as H, a random element extracted from H becomes a reversible element with a very high probability. When this is used as the element g, it has been found that calculating the order of the element g is as difficult as calculating the prime factorization of N (this detail is described, for example, in the following document) : Lenstra Jr., H. W., “Factoring integers with elliptic curves,” Annals of Mathematics 126 (3): 649-673, 1987.). That is, as a semigroup in which calculation of the original order is difficult, for example, a semigroup composed of points (rational points) on the elliptic curve on the ring R can be used. The semigroup in which the original order is difficult to calculate is, for example, a semigroup in which it is difficult to calculate the original order in order to solve the factorization problem. A certain calculation or problem is “difficult” means that the calculation result or solution cannot be obtained within the polynomial time. That is, “a semigroup in which calculation of the original order is difficult in terms of computational complexity” means, for example, a semigroup in which the original order cannot be calculated in polynomial time. The “semigroup in which the calculation of the original order is difficult in terms of computational complexity” may be one in which an inverse element exists or one in which an inverse element does not exist. Further, the “semigroup in which calculation of the original order is difficult in terms of calculation amount” may be, for example, a monoid (a semigroup having a unit element). “Polynomial time” means, for example, time (calculation time) that can be expressed by a polynomial of the size (length) of the secret key s. In other words, “polynomial time” means, for example, a time (calculation time) that can be expressed by an arbitrary polynomial for χ, where χ is the length (eg, bit length) of the secret key s. “Easy” means not difficult.
 <第1実施形態>
 次に第1実施形態を説明する。本形態では、元gの位数の算出が計算量的に困難な半群(可換半群)Hを用い、暗号方式として半群H上のElGamal暗号を採用した復号サービスを提供する。本形態では、「ElGamal暗号方式に則った暗号文に対応する情報」がElGamal暗号方式に則った暗号文であり、「暗号文の復号結果に対応する情報」が暗号文の復号結果である。 <First Embodiment>
Next, a first embodiment will be described. In the present embodiment, a decryption service is provided that uses a semigroup (commutative semigroup) H in which calculation of the order of the element g is difficult in terms of computational complexity and adopts an ElGamal cipher on the semigroup H as an encryption method. In this embodiment, “information corresponding to the ciphertext conforming to the ElGamal encryption scheme” is a ciphertext conforming to the ElGamal encryption scheme, and “information corresponding to the decryption result of the ciphertext” is the decryption result of the ciphertext.
 [構成]
 図1に例示するように、本形態のセキュリティシステム1は、暗号化装置11と処理装置12と復号サービス提供装置13とを有する。暗号化装置11は処理装置12に対し、ネットワークや可搬型記録媒体等を介した情報の提供が可能なように構成されている。また処理装置12と復号サービス提供装置13とは、ネットワークや可搬型記録媒体等を介して互いに情報のやり取りが可能なように構成されている。 [Constitution]
As illustrated in FIG. 1, the security system 1 of this embodiment includes an encryption device 11, a processing device 12, and a decryption service providing device 13. The encryption device 11 is configured to be able to provide information to the processing device 12 via a network, a portable recording medium, or the like. The processing device 12 and the decryption service providing device 13 are configured to exchange information with each other via a network, a portable recording medium, or the like.
 暗号化装置11は、記憶部111と入力部112と暗号化部113と出力部114とを有する。処理装置12は、入力部121と処理部122と出力部123と入力部124とを有する。復号サービス提供装置13は、記憶部131と入力部132と復号部133と出力部134とを有する。暗号化装置11と処理装置12と復号サービス提供装置13とは、それぞれ、CPU(central processing unit)、RAM(random-access memory)等を含む汎用または専用のコンピュータに所定のプログラムが読み込まれて構成された特別な装置である。暗号化装置11と処理装置12と復号サービス提供装置13とは、それぞれの制御部(図示せず)の制御のもとで各処理を実行する。各部で得られたデータはそれぞれの一時メモリ(図示せず)に格納され、必要に応じて各部に読み込まれる。 The encryption device 11 includes a storage unit 111, an input unit 112, an encryption unit 113, and an output unit 114. The processing device 12 includes an input unit 121, a processing unit 122, an output unit 123, and an input unit 124. The decryption service providing apparatus 13 includes a storage unit 131, an input unit 132, a decryption unit 133, and an output unit 134. Each of the encryption device 11, the processing device 12, and the decryption service providing device 13 is configured such that a predetermined program is read into a general-purpose or dedicated computer including a CPU (central processing unit), a RAM (random-access memory), and the like. Special equipment. The encryption device 11, the processing device 12, and the decryption service providing device 13 execute each process under the control of each control unit (not shown). Data obtained by each unit is stored in a temporary memory (not shown), and is read by each unit as necessary.
 [パラメータ設定処理]
 本形態のパラメータ設定処理では、元gの位数の算出が計算量的に困難な半群Hおよびその元gを含むシステムパラメータが暗号化装置11および復号サービス装置13に設定される。半群H上のElGamal暗号方式に則った秘密鍵s∈Zがランダムに選択され、復号サービス提供装置13の記憶部131に安全に格納される。また当該半群H上のElGamal暗号方式に則った公開鍵y=g∈Hが生成され、暗号化装置11の記憶部111に格納される。 [Parameter setting process]
In the parameter setting process of this embodiment, the semigroup H in which the calculation of the order of the element g is difficult in terms of computational complexity and the system parameters including the element g are set in the encryption device 11 and the decryption service device 13. A secret key sεZ q according to the ElGamal encryption scheme on the semi-group H is selected at random and stored securely in the storage unit 131 of the decryption service providing apparatus 13. The public key y = g s ∈H conforming to ElGamal encryption scheme on the half-group H are generated and stored in the storage unit 111 of the encryption device 11.
 [暗号化・復号サービス提供処理]
 図2に例示するように、まず、暗号化装置11の入力部112に平文m∈Hが入力され、暗号化部113に送られる(ステップS101)。暗号化部113は、記憶部111に格納されている公開鍵yを用い、平文mを半群H上のElGamal暗号方式に則って暗号化し、暗号文(c,c)=(m・y,g)∈Hを得て出力する(ステップS102)。出力部114は暗号文(c,c)を出力する。 [Encryption / decryption service provision processing]
As illustrated in FIG. 2, first, plaintext mεH is input to the input unit 112 of the encryption device 11 and sent to the encryption unit 113 (step S101). The encryption unit 113 uses the public key y stored in the storage unit 111 to encrypt the plaintext m according to the ElGamal encryption method on the semigroup H, and the ciphertext (c 1 , c 2 ) = (m · y r , g r ) εH 2 is obtained and output (step S102). The output unit 114 outputs the ciphertext (c 1 , c 2 ).
 暗号文(c,c)は処理装置12に入力部121に入力され、処理部122に送られる。(ステップS104)。処理部122は、暗号文(c,c)を含む復号依頼情報を生成して出力部123から出力する(ステップS105)。 The ciphertext (c 1 , c 2 ) is input to the processing device 12 via the input unit 121 and sent to the processing unit 122. (Step S104). The processing unit 122 generates decryption request information including the ciphertext (c 1 , c 2 ) and outputs it from the output unit 123 (step S105).
 暗号文(c,c)を含む復号依頼情報は、復号サービス提供装置13の入力部132に入力され、暗号文(c,c)が復号部133に送られる(ステップS106)。復号部133は記憶部131に格納されている秘密鍵sを用い、半群H上のElGamal暗号方式に則って暗号文(c,c)を復号して復号結果m’=c・c ∈Hを得て出力する(ステップS107)。出力部134は、復号結果m’を含む応答情報を出力する(ステップS109)。応答情報は処理装置12に入力され、処理部122に送られる。 The decryption request information including the ciphertext (c 1 , c 2 ) is input to the input unit 132 of the decryption service providing device 13, and the ciphertext (c 1 , c 2 ) is sent to the decryption unit 133 (step S 106). The decryption unit 133 uses the secret key s stored in the storage unit 131 to decrypt the ciphertext (c 1 , c 2 ) in accordance with the ElGamal cryptosystem on the semi-group H and decrypts the decryption result m ′ = c 1. c 2 s εH is obtained and output (step S107). The output unit 134 outputs response information including the decoding result m ′ (step S109). The response information is input to the processing device 12 and sent to the processing unit 122.
 [本形態の特徴]
 本形態では、元gの位数の算出が計算量的に困難と考えられる半群H上のElGamal暗号を採用した復号サービス提供装置13を用い、復号サービスを提供する。この構成では、利用者がたとえ復号演算サービスを繰り返し用いたとしても秘密鍵を得ることが困難であることを証明でき、原理的に秘密鍵が漏洩しないことが保証される。一般に安全とされる暗号方式では、秘密鍵を得ることなく復号能力を獲得することはできないと考えられている。したがって、復号演算サービスを利用者に許可した後で許可を取り消す制御を行うとき、どのような挙動を取る利用者を想定したとしても、サービスの利用を取り消された以降は利用者が暗号化された文書を復号することができないといえる。 [Features of this form]
In this embodiment, the decryption service is provided by using the decryption service providing apparatus 13 that employs the ElGamal cipher on the semi-group H that is considered difficult to calculate the order of the element g. In this configuration, even if the user repeatedly uses the decryption operation service, it can be proved that it is difficult to obtain the secret key, and it is guaranteed that the secret key is not leaked in principle. It is considered that a generally secure encryption method cannot acquire a decryption capability without obtaining a secret key. Therefore, when performing the control to revoke permission after allowing the decryption operation service to the user, the user is encrypted after the use of the service is revoked no matter what behavior the user assumes. It can be said that the document cannot be decrypted.
 <第2実施形態>
 次に第2実施形態を説明する。本形態では、復号サービスに用いられる半群Hの元gの位数を算出することの計算量的な困難性または容易性を判定することで、復号サービスの安全性を評価する。これにより、復号サービスの安全性を評価することができる。このような復号サービスの安全性を評価は、システムパラメータの設定時に行われてもよいし、既に提供されている復号サービスに対して行われてもよい。以下では、一例としてシステムパラメータの設定時に復号サービスの安全性の評価を行い、安全性が低いと判断された場合にシステムパラメータを再設定する形態を説明する。本形態では、「ElGamal暗号方式に則った暗号文に対応する情報」がElGamal暗号方式に則った暗号文であり、「暗号文の復号結果に対応する情報」が暗号文の復号結果である。また、第1実施形態と共通する事項については、第1実施形態と同じ参照番号を用いて説明を省略する。 Second Embodiment
Next, a second embodiment will be described. In this embodiment, the security of the decoding service is evaluated by determining the computational difficulty or ease of calculating the order of the element g of the semigroup H used for the decoding service. Thereby, the security of the decryption service can be evaluated. The security of such a decryption service may be evaluated at the time of setting the system parameter, or may be performed on a decryption service that has already been provided. Hereinafter, as an example, a mode in which the security of the decryption service is evaluated at the time of setting the system parameters, and the system parameters are reset when it is determined that the security is low will be described. In this embodiment, “information corresponding to the ciphertext conforming to the ElGamal encryption scheme” is a ciphertext conforming to the ElGamal encryption scheme, and “information corresponding to the decryption result of the ciphertext” is the decryption result of the ciphertext. Moreover, about the matter which is common in 1st Embodiment, description is abbreviate | omitted using the same reference number as 1st Embodiment.
 [構成]
 図3に例示するように、本形態のセキュリティシステム2は、暗号化装置11と処理装置12と復号サービス提供装置13と設定装置24と安全性評価装置25とを有する。設定装置24は暗号化装置11および復号サービス提供装置13に対し、ネットワークや可搬型記録媒体等を介した情報の提供が可能なように構成されている。設定装置24と安全性評価装置25とは、ネットワークや可搬型記録媒体等を介して互いに情報のやり取りが可能なように構成されている。設定装置24および安全性評価装置25は、汎用または専用のコンピュータに所定のプログラムが読み込まれて構成された特別な装置である。 [Constitution]
As illustrated in FIG. 3, the security system 2 of this embodiment includes an encryption device 11, a processing device 12, a decryption service providing device 13, a setting device 24, and a safety evaluation device 25. The setting device 24 is configured to be able to provide information to the encryption device 11 and the decryption service providing device 13 via a network or a portable recording medium. The setting device 24 and the safety evaluation device 25 are configured to exchange information with each other via a network, a portable recording medium, or the like. The setting device 24 and the safety evaluation device 25 are special devices configured by reading a predetermined program into a general-purpose or dedicated computer.
 安全性評価装置25は、記憶部251と入力部252と判定部253と評価部254と出力部255とを有する。安全性評価装置25は、制御部(図示せず)の制御のもとで各処理を実行する。各部で得られたデータはそれぞれの一時メモリ(図示せず)に格納され、必要に応じて各部に読み込まれる。 The safety evaluation device 25 includes a storage unit 251, an input unit 252, a determination unit 253, an evaluation unit 254, and an output unit 255. The safety evaluation device 25 executes each process under the control of a control unit (not shown). Data obtained by each unit is stored in a temporary memory (not shown), and is read by each unit as necessary.
 [パラメータ設定処理]
 本形態のパラメータ設定処理の前処理として、安全性評価装置25の記憶部252に、半群Hの元gの位数を算出することの計算量的な困難性または容易性を判定するために必要な情報を格納する。このような情報の例は、元の位数を算出することが困難と考えられている半群およびその元のリスト、元の位数を算出することが容易と考えられている半群およびその元のリスト、またはこの困難性もしくは容易性を判定するアルゴリズムなどである。 [Parameter setting process]
In order to determine the computational difficulty or ease of calculating the order of the element g of the semigroup H in the storage unit 252 of the safety evaluation device 25 as pre-processing of the parameter setting processing of this embodiment. Store necessary information. Examples of such information include a semigroup that is considered difficult to calculate the original order and its original list, a semigroup that is considered easy to calculate the original order, and its The original list, or an algorithm for determining this difficulty or ease.
 図4に例示するように、パラメータ設定処理では、設定装置24が半群(例えば、可換半群や有限可換半群)Hおよびその元gを含むシステムパラメータを生成し(ステップS201)、生成した半群Hおよび元gを特定する情報を出力する(ステップS202)。 As illustrated in FIG. 4, in the parameter setting process, the setting device 24 generates a system parameter including a semigroup (for example, a commutative semigroup or a finite commutative semigroup) H and its element g (step S201). Information for specifying the generated semigroup H and element g is output (step S202).
 半群Hおよび元gを特定する情報は安全性評価装置25の入力部252に入力され、判定部253に送られる(ステップS203)。判定部253は、記憶部251に格納された情報を用い、当該半群Hの元gの位数を算出することの困難性または容易性を判定する。例えば、半群の元の位数を算出することが困難と考えられている半群およびその元のリストが記憶部251に格納されている場合、判定部253は、判定対象の半群Hの元gが当該リストに含まれるかを判定し、含まれれば当該半群Hの元gの位数を算出することが困難であると判定する。或いは、半群の元の位数を算出することが容易と考えられている半群およびその元のリストが記憶部251に格納されている場合、判定部253は、判定対象の半群Hの元gが当該リストに含まれるかを判定し、含まれれば当該半群Hの元gの位数を算出することが容易であると判定する。半群の元の位数を算出することの困難性または容易性を判定するアルゴリズムが記憶部251に格納されている場合、判定部253は、このアルゴリズムを用い、判定対象の半群Hの元gの位数を算出することが困難であるかを判定するか、または判定対象の半群Hの元gの位数を算出することが容易であるかを判定する。例えば、数体ふるい法や関数体ふるい法などを用いて所定処理時間内に当該半群Hでの離散対数問題が解ければ、その半群Hの元gの位数を算出することも容易であると判定する(ステップS204)。 Information for specifying the half group H and the element g is input to the input unit 252 of the safety evaluation device 25 and sent to the determination unit 253 (step S203). The determination unit 253 determines the difficulty or ease of calculating the order of the original g of the semigroup H using the information stored in the storage unit 251. For example, when the half group that is considered difficult to calculate the original rank of the half group and the list of the original group are stored in the storage unit 251, the determination unit 253 determines whether the half group H of the determination target It is determined whether the element g is included in the list, and if included, it is determined that it is difficult to calculate the order of the element g of the semigroup H. Alternatively, when the half group that is considered to be easy to calculate the original rank of the half group and the list of the original are stored in the storage unit 251, the determination unit 253 determines whether the half group H of the determination target It is determined whether the element g is included in the list, and if included, it is determined that it is easy to calculate the order of the element g of the semigroup H. When an algorithm for determining the difficulty or ease of calculating the original order of the half group is stored in the storage unit 251, the determination unit 253 uses this algorithm to determine the element of the half group H to be determined. It is determined whether it is difficult to calculate the order of g, or whether it is easy to calculate the order of the original g of the half group H to be determined. For example, if the discrete logarithm problem in the half group H is solved within a predetermined processing time using a number field sieving method or a function field sieving method, the order of the element g of the half group H can be easily calculated. (Step S204).
 判定部253から出力された判定結果は評価部254に入力され、評価部254はこの判定結果に基づいて復号サービス提供装置13の安全性を評価する。すなわち、判定部253で元の位数を算出することが困難であると判定されるか、元の位数を算出することが容易であると判定されなかった場合、評価部254は復号サービス提供装置13の安全性が高い旨の評価結果(acc)を出力する(ステップS205)。一方、判定部253で元の位数を算出することが困難であると判定されなかったか、元の位数を算出することが容易であると判定された場合、評価部254は復号サービス提供装置13の安全性が低い旨の評価結果(rej)を出力する(ステップS206)。 The determination result output from the determination unit 253 is input to the evaluation unit 254, and the evaluation unit 254 evaluates the safety of the decryption service providing apparatus 13 based on the determination result. That is, when the determination unit 253 determines that it is difficult to calculate the original order or it is not determined that the original order is easy to calculate, the evaluation unit 254 provides the decoding service. An evaluation result (acc) indicating that the safety of the device 13 is high is output (step S205). On the other hand, if the determination unit 253 does not determine that it is difficult to calculate the original order, or if it is determined that it is easy to calculate the original order, the evaluation unit 254 determines that the decoding service providing apparatus The evaluation result (rej) indicating that the safety of 13 is low is output (step S206).
 評価部254から出力された評価結果は、設定装置24に入力される。設定装置24はこの評価結果が安全性が高い旨を示すかを判定する(ステップS208)。当該評価結果が安全性が低い(rej)ことを示す場合、ステップS201に戻る。当該評価結果が安全性が高い(acc)ことを示す場合、設定装置24は半群Hおよびその元gを含むシステムパラメータを出力し、暗号化装置11および復号サービス提供装置13に設定する(ステップS209)。 The evaluation result output from the evaluation unit 254 is input to the setting device 24. The setting device 24 determines whether the evaluation result indicates that the safety is high (step S208). When the evaluation result indicates that the safety is low (rej), the process returns to step S201. If the evaluation result indicates that the safety is high (acc), the setting device 24 outputs the system parameters including the semigroup H and its element g, and sets the system parameters in the encryption device 11 and the decryption service providing device 13 (step) S209).
 <第3実施形態>
 次に第3実施形態を説明する。本形態では、元の位数の算出が計算量的に困難な半群を用い、自己訂正技術を用いて復号サービスを行う。自己訂正技術の詳細は、例えば、参考文献1(国際公開WO/2011/086992号公報)や参考文献2(国際公開WO/2012/057134号公報)等に開示されている。以下では、第1実施形態との相違点を中心に説明する。 <Third Embodiment>
Next, a third embodiment will be described. In the present embodiment, a decoding service is performed using a self-correction technique using a semi-group in which calculation of the original order is difficult in terms of computational complexity. Details of the self-correction technique are disclosed in, for example, Reference 1 (International Publication WO / 2011/086992), Reference 2 (International Publication WO / 2012/077134), and the like. Below, it demonstrates centering on difference with 1st Embodiment.
 <構成>
 図5に例示するように、第三実施形態のセキュリティシステム3は、例えば、前述の暗号化装置11と、秘密鍵を保持していない処理装置321と、前述のElGamal暗号方式に則った秘密鍵を保持する復号サービス提供装置332とを有し、処理装置321が復号サービス提供装置332に暗号文の復号能力の提供を依頼し、復号サービス提供装置332から提供された復号能力を用いて暗号文を復号する。処理装置321と復号サービス提供装置332とは情報のやり取りが可能なように構成される。例えば、処理装置321と復号サービス提供装置332とは、伝送線やネットワークや可搬型記録媒体などを経由した情報のやり取りが可能とされている。 <Configuration>
As illustrated in FIG. 5, the security system 3 according to the third embodiment includes, for example, the encryption device 11 described above, a processing device 321 that does not hold a secret key, and a secret key that conforms to the ElGamal encryption method described above. And the decryption service providing apparatus 332, the processing apparatus 321 requests the decryption service providing apparatus 332 to provide the decryption capability of the ciphertext, and the ciphertext is transmitted using the decryption capability provided from the decryption service providing apparatus 332. Is decrypted. The processing device 321 and the decryption service providing device 332 are configured to exchange information. For example, the processing device 321 and the decryption service providing device 332 can exchange information via a transmission line, a network, a portable recording medium, or the like.
 図6に例示するように、第三実施形態の処理装置321は、例えば、整数選択部2102と入力情報提供部2104と第一計算部2105と第一べき乗計算部2106と第一リスト記憶部2107と第二計算部2108と第二べき乗計算部2109と第二リスト記憶部2110と判定部2111と最終出力部2112と制御部2113とを有する。処理装置321の例は、カードリーダライタ装置や携帯電話などの計算機能と記憶機能とを備えた機器や、特別なプログラムが読み込まれたCPU(central processing unit)やRAM(random-access memory)を備えた公知又は専用のコンピュータなどである。 As illustrated in FIG. 6, the processing device 321 according to the third embodiment includes, for example, an integer selection unit 2102, an input information providing unit 2104, a first calculation unit 2105, a first power calculation unit 2106, and a first list storage unit 2107. A second calculation unit 2108, a second power calculation unit 2109, a second list storage unit 2110, a determination unit 2111, a final output unit 2112, and a control unit 2113. Examples of the processing device 321 include a device having a calculation function and a storage function such as a card reader / writer device or a mobile phone, a CPU (central processing unit) or a RAM (random-access memory) loaded with a special program. It is a known or dedicated computer provided.
 図7に例示するように、第三実施形態の復号サービス提供装置332は、例えば、第一出力情報計算部2201(復号部)と第二出力情報計算部2202(復号部)と鍵記憶部2204(記憶部)と制御部2205と入力部3132と出力部3134を有する。復号サービス提供装置332の例は、ICカードやICチップなどの耐タンパ性モジュールや、携帯電話などの計算機能と記憶機能とを備えた機器や、特別なプログラムが読み込まれたCPUやRAMを備えた公知又は専用のコンピュータなどである。 As illustrated in FIG. 7, the decryption service providing apparatus 332 according to the third embodiment includes, for example, a first output information calculation unit 2201 (decryption unit), a second output information calculation unit 2202 (decryption unit), and a key storage unit 2204. (Storage unit), control unit 2205, input unit 3132, and output unit 3134. The example of the decryption service providing apparatus 332 includes a tamper-resistant module such as an IC card or an IC chip, a device such as a mobile phone having a calculation function and a storage function, and a CPU or RAM into which a special program is read. Or a known or dedicated computer.
 <処理>
 次に本形態の処理を説明する。処理の前提として、G,Hを、前述した元の位数の算出が計算量的に困難な半群(例えば、可換半群や有限可換半群)(例えば、H=G×G、H=G)とし、f(x)を、前述のElGamal暗号方式に則って、半群Hの元である暗号文xを特定の秘密鍵sで復号して半群Gの元を得るための復号関数とし、半群G,Hの生成元をそれぞれμg,μhとし、X1,X2を半群Gに値を持つ確率変数とし、確率変数X1の実現値をx1、確率変数X2の実現値をx2とする。処理装置321の各処理は制御部2113の制御のもとで実行され、復号サービス提供装置332の各処理は制御部2205の制御のもとで実行される。 <Processing>
Next, the processing of this embodiment will be described. As a premise of processing, G and H are set to a semigroup (for example, a commutative semigroup or a finite commutative semigroup) in which calculation of the original order is difficult (for example, H = G × G, H = G), and f (x) is obtained by decrypting the ciphertext x, which is an element of the semigroup H, with a specific secret key s in accordance with the above-described ElGamal cryptosystem to obtain an element of the semigroup G It is assumed that the generation functions of the semigroups G and H are μ g and μ h , X 1 and X 2 are random variables having values in the semigroup G, the realization value of the random variable X 1 is x 1 , and the probability the actual values of the variables X 2 and x 2. Each process of the processing device 321 is executed under the control of the control unit 2113, and each process of the decryption service providing device 332 is executed under the control of the control unit 2205.
 図8に例示するように、まず、処理装置321(図6)の整数選択部2102が、整数a,b,a’,b’を選択する(ステップS2101)。a,bは、例えば、互いに素な自然数である。a,bは例えばランダムに選択される。a’,b’は、ランダムに選択されてもよいし、d=a’a+b’bを満たすように選択されてもよい。整数a,bの少なくとも一部の情報は、入力情報提供部2104、第一べき乗計算部2106、および第二べき乗計算部2109に送られる。整数a,b,a’,b’の情報は最終出力部2112に送られる。 As illustrated in FIG. 8, first, the integer selection unit 2102 of the processing device 321 (FIG. 6) selects integers a, b, a ′, and b ′ (step S2101). For example, a and b are relatively prime natural numbers. a and b are selected at random, for example. a ′ and b ′ may be selected randomly or may be selected so as to satisfy d = a′a + b′b. Information on at least part of the integers a and b is sent to the input information providing unit 2104, the first power calculation unit 2106, and the second power calculation unit 2109. Information on the integers a, b, a ′, and b ′ is sent to the final output unit 2112.
 制御部1113は、t=1とする(ステップS2102)。 The control unit 1113 sets t = 1 (step S2102).
 入力情報提供部2104は、入力された前述のElGamal暗号方式に則った暗号文xにそれぞれ対応する半群Hの元である第一入力情報τ1及び第二入力情報τ2(暗号文xに対応する情報)を生成して出力する(ステップS2103)。好ましくは、第一入力情報τ1及び第二入力情報τ2はそれぞれ暗号文xとの関係をかく乱させた情報である。これにより、処理装置321は、暗号文xを復号サービス提供装置332に対して隠蔽できる。好ましくは、本形態の第一入力情報τ1は整数選択部2102で選択された整数bにさらに対応し、第二入力情報τ2は整数選択部2102で選択された整数aにさらに対応する。これにより、復号サービス提供装置332から提供された復号能力を処理装置321が高い精度で評価することが可能となる。τ1,τ2の具体例は、例えば、参考文献1,2等に例示されている。例えば、x=(c,c)であり、(V,W)が群Hの元であり、f(V,W)=Yであり、r~rが0以上の自然数の乱数であり、τ=(c r4,c r4μ r5)であり、τ=(c r6,c r6μ r7)である。 The input information providing unit 2104 receives the first input information τ 1 and the second input information τ 2 (in the ciphertext x) that are elements of the half group H corresponding to the input ciphertext x in accordance with the ElGamal encryption method. Corresponding information) is generated and output (step S2103). Preferably, the first input information τ 1 and the second input information τ 2 are information that disturbs the relationship with the ciphertext x. As a result, the processing device 321 can conceal the ciphertext x from the decryption service providing device 332. Preferably, the first input information τ 1 of this embodiment further corresponds to the integer b selected by the integer selector 2102, and the second input information τ 2 further corresponds to the integer a selected by the integer selector 2102. Thereby, the processing device 321 can evaluate the decoding capability provided from the decoding service providing device 332 with high accuracy. Specific examples of τ 1 and τ 2 are exemplified in Reference Documents 1 and 2, for example. For example, x = (c 1 , c 2 ), (V, W) is an element of the group H, f (V, W) = Y, and r 4 to r 7 are natural numbers of 0 or more. , and the a τ 1 = (c 2 b W r4, c 1 b V r4 μ g r5), a τ 2 = (c 2 a W r6, c 1 a V r6 μ g r7).
 図9に例示するように、第一入力情報τ1は、復号サービス提供装置332(図7)の入力部3132に入力され、そこから第一出力情報計算部2201に入力される。第二入力情報τ2は、入力部3132に入力され、そこから第二出力情報計算部2202に入力される(ステップS2200)。 As illustrated in FIG. 9, the first input information τ 1 is input to the input unit 3132 of the decryption service providing apparatus 332 (FIG. 7) and is input from there to the first output information calculation unit 2201. The second input information τ 2 is input to the input unit 3132 and from there to the second output information calculation unit 2202 (step S2200).
 第一出力情報計算部2201は、第一入力情報τ1と鍵記憶部2204に格納された秘密鍵sとを用い、或る確率より大きな確率でf(τ1)を正しく計算し、得られた計算結果を第一出力情報z1とする。すなわち、第一出力情報計算部2201は、第一入力情報τ1と鍵記憶部2204に格納された秘密鍵sとを用いてf(τ1)を正しく計算可能であり、得られた計算結果を第一出力情報z1とする(ステップS2201)。第二出力情報計算部2202は、第二入力情報τ2と鍵記憶部1204に格納された秘密鍵sとを用い、或る確率より大きな確率でf(τ2)を正しく計算し、得られた計算結果を第二出力情報z2とする。すなわち、第二出力情報計算部2202は、第二入力情報τ2と鍵記憶部1204に格納された秘密鍵sとを用いてf(τ2)を正しく計算可能であり、得られた計算結果を第二出力情報z2とする(ステップS2202)。すなわち、第一出力情報計算部2201や第二出力情報計算部2202は、意図的又は意図的ではない誤差を含んだ計算結果を出力する。言い換えると、第一出力情報計算部2201での計算結果がf(τ1)の場合もあればf(τ1)でない場合もあり、第二出力情報計算部2202での計算結果がf(τ2)の場合もあればf(τ2)でない場合もある。「計算可能」とは、無視することができない確率以上の確率で計算することができることを意味する。無視することができない確率とは、セキュリティパラメータkについての広義単調関数である多項式を多項式F(k)として、1/F(k)以上の確率である。 The first output information calculation unit 2201 uses the first input information τ 1 and the secret key s stored in the key storage unit 2204 to correctly calculate f (τ 1 ) with a probability larger than a certain probability. The calculated result is defined as first output information z 1 . That is, the first output information calculation unit 2201 can correctly calculate f (τ 1 ) using the first input information τ 1 and the secret key s stored in the key storage unit 2204, and the obtained calculation result Is the first output information z 1 (step S2201). The second output information calculation unit 2202 uses the second input information τ 2 and the secret key s stored in the key storage unit 1204 to correctly calculate f (τ 2 ) with a probability greater than a certain probability. the calculation result as the second output information z 2. That is, the second output information calculation unit 2202 can correctly calculate f (τ 2 ) using the second input information τ 2 and the secret key s stored in the key storage unit 1204, and the obtained calculation result Is the second output information z 2 (step S2202). That is, the first output information calculation unit 2201 and the second output information calculation unit 2202 output a calculation result including an intentional or unintentional error. In other words, also when the calculation result in the first output information calculation section 2201 is not f Some cases of (τ 1) f (τ 1 ), the calculation result of the second output information calculation unit 2202 f (tau 2 ) and not f (τ 2 ). “Computable” means that the calculation can be performed with a probability higher than the probability that cannot be ignored. The probability that cannot be ignored is a probability of 1 / F (k) or more, assuming that a polynomial that is a broad monotone function for the security parameter k is a polynomial F (k).
 第一出力情報計算部2201は第一出力情報z1を出力し、第二出力情報計算部2202は第二出力情報z2を出力し、出力部3134は、第一出力情報z1および第二出力情報z2(暗号文xの復号結果に対応する情報)を出力する(ステップS2203)。 The first output information calculation unit 2201 outputs the first output information z 1 , the second output information calculation unit 2202 outputs the second output information z 2 , and the output unit 3134 outputs the first output information z 1 and the second output information z 1 . Output information z 2 (information corresponding to the decryption result of the ciphertext x) is output (step S2203).
 図8に戻り、第一出力情報z1は処理装置321(図6)の第一計算部2105に入力され、第二出力情報z2は第二計算部2108に入力される。これらの第一出力情報z1及び第二出力情報z2が、復号サービス提供装置332から処理装置321に与えられた復号能力に相当する(ステップS2104)。 Returning to FIG. 8, the first output information z 1 is input to the first calculation unit 2105 of the processing device 321 (FIG. 6), and the second output information z 2 is input to the second calculation unit 2108. The first output information z 1 and the second output information z 2 correspond to the decryption capability given from the decryption service providing apparatus 332 to the processing apparatus 321 (step S2104).
 第一計算部2105は、第一出力情報z1から計算結果u=f(x)b1を生成する(例えば、u=z-r4μ -r5を満たす)。計算結果uは第一べき乗計算部2106に送られる(ステップS2105)。 First calculation unit 2105, generates a calculation result u = f (x) b x 1 from the first output information z 1 (e.g., satisfy u = z 1 Y -r4 μ g -r5). The calculation result u is sent to the first power calculation unit 2106 (step S2105).
 第一べき乗計算部2106はu’=uaを計算する。計算結果uとその計算結果に基づいて計算されたu’との組(u,u’)は、第一リスト記憶部2107に記憶される(ステップS2106)。 The first power calculating unit 2106 calculates the u '= u a. A set (u, u ′) of the calculation result u and u ′ calculated based on the calculation result is stored in the first list storage unit 2107 (step S2106).
 判定部2111は、第一リスト記憶部2107に記憶された組(u,u’)及び第二リスト記憶部2110に記憶された組(v,v’)の中で、u’=v’となるものがあるか判定する(ステップS2107)。もし、第二リスト記憶部2110に組(v,v’)が記憶されていない場合には、このステップS2107の処理を行わずに、次のステップS2108の処理を行う。u’=v’となるものがあった場合には、ステップS2115に進む。u’=v’となるものがなかった場合には、ステップS2108に進む。 The determination unit 2111 determines that u ′ = v ′ in the set (u, u ′) stored in the first list storage unit 2107 and the set (v, v ′) stored in the second list storage unit 2110. It is determined whether or not there is any (step S2107). If the set (v, v ′) is not stored in the second list storage unit 2110, the process of the next step S2108 is performed without performing the process of step S2107. If there is one that satisfies u ′ = v ′, the process proceeds to step S2115. If there is no u ′ = v ′, the process advances to step S2108.
 ステップS2108では、第二計算部2108が、第二出力情報z2から計算結果v=f(x)a2を生成する(例えば、v=z-r6μ -r7を満たす)。計算結果vは第二べき乗計算部2109に送られる(ステップS2108)。 In step S2108, the second calculation unit 2108, the calculation result from the second output information z 2 v = f (x) generates a a x 2 (e.g., satisfy v = z 2 Y -r6 μ g -r7). The calculation result v is sent to the second power calculation unit 2109 (step S2108).
 第二べき乗計算部2109はv’=vを計算する。計算結果vとその計算結果に基づいて計算されたv’との組(v,v’)は、第二リスト記憶部2110に記憶される(ステップS2109)。 The second power calculation unit 2109 calculates v ′ = v b . A set (v, v ′) of the calculation result v and v ′ calculated based on the calculation result is stored in the second list storage unit 2110 (step S2109).
 判定部2111は、第一リスト記憶部2107に記憶された組(u,u’)及び第二リスト記憶部2110に記憶された組(v,v’)の中で、u’=v’となるものがあるか判定する(ステップS2110)。u’=v’となるものがあった場合には、ステップS2115に進む。u’=v’となるものがなかった場合には、ステップS2111に進む。 The determination unit 2111 determines that u ′ = v ′ in the set (u, u ′) stored in the first list storage unit 2107 and the set (v, v ′) stored in the second list storage unit 2110. It is determined whether or not there is any (step S2110). If there is one that satisfies u ′ = v ′, the process proceeds to step S2115. If there is no u ′ = v ′, the process advances to step S2111.
 ステップS2111では、制御部2113がt=Tmaxであるか判定する(ステップS2111)。Tmaxは予め定められた自然数である。t=Tmaxであれば、制御部2113は、計算をすることができなかった旨の情報、例えば記号「⊥」を出力して(ステップS2113)、処理を終える。t=Tmaxでない場合には、制御部2113は、tを1だけインクリメント、すなわちt=t+1として(ステップS2112)、ステップS2103に戻る。 In step S2111, the control unit 2113 determines whether t = T max (step S2111). T max is a predetermined natural number. If t = Tmax , the control unit 2113 outputs information indicating that the calculation could not be performed, for example, the symbol “⊥” (step S2113), and ends the process. If not t = Tmax , the control unit 2113 increments t by 1, that is, sets t = t + 1 (step S2112), and returns to step S2103.
 ステップS2115では、最終出力部2112が、u’=v’となるu’及びv’に対応するu及びv、並びにd=a’a+b’b(例えば、d=1)を満たすa’,b’及びdを用い、(ub’a’1/dを計算して出力する(ステップS2115)。すなわち、最終出力部2112は、d=a’a+b’bについての(ub’a’1/dを出力する。例えば、d=1の場合、最終出力部2112は、1=a’a+b’bについてのub’a’を出力する。出力された(ub’a’1/dは高い確率で暗号文xの復号結果f(x)となる(この理由は、例えば、参考文献1,2参照)。また、上述した処理を複数回繰り返し、ステップS2115で得られた値のうち最も頻度の高い値を復号結果としてもよい。 In step S2115, the final output unit 2112 satisfies u ′ and v ′ corresponding to u ′ and v ′ where u ′ = v ′, and a ′, b satisfying d = a′a + b′b (for example, d = 1). Using “and d”, (u b ′ v a ′ ) 1 / d is calculated and output (step S2115). That is, the final output unit 2112 outputs (u b ′ v a ′ ) 1 / d for d = a′a + b′b. For example, when d = 1, the final output unit 2112 outputs u b ′ v a ′ for 1 = a′a + b′b. The output (u b ′ v a ′ ) 1 / d becomes a decryption result f (x) of the ciphertext x with a high probability (see the references 1 and 2 for the reason, for example). Further, the above-described processing may be repeated a plurality of times, and the most frequently used value among the values obtained in step S2115 may be used as the decoding result.
 <第三実施形態の変形例>
 整数a,bの一方が1などの定数であってもよく、整数a’,b’の少なくとも一方が定数であってもよい。整数a,b,a’,b’の一部を定数とし、一部の処理部やステップが省略されてもよい。例えば、bが定数1である場合には、ステップS2101での整数bの選択が不要となり、v’=vとなり、第二べき乗計算部2109およびステップS2109が不要となる。或いは、dを定数または乱数とし、ステップS2101でd=a’a+b’bを満たす整数a,b,a’,b’が選択されてもよい。或いは、ステップS2115でd=a’a+b’bが計算されてもよい。或いは、ステップS2101で、整数選択部2112が整数a,b,a’,b’の選択とd=a’a+b’bの計算とを行ってもよい。或いは、ステップS2102よりも後、ステップS2115よりも前の何れかの時点で、整数選択部2102がd=a’a+b’bを計算してもよい。また、最終計算部2112が、d≠0のときに(ub’a’1/dを出力することとしてもよい。d=0の場合にエラー終了することにしてもよいし、d=0の場合にステップS2101で整数a,b,a’,b’の少なくとも一部が再選択され、処理がやり直されてもよい。また、演算にa’,b’が必要となる前であれば、どの時点でa’,b’が選択されてもよい。 <Modification of Third Embodiment>
One of the integers a and b may be a constant such as 1, and at least one of the integers a ′ and b ′ may be a constant. Some of the integers a, b, a ′, and b ′ may be constants, and some processing units and steps may be omitted. For example, when b is a constant 1, it is not necessary to select the integer b in step S2101, v ′ = v, and the second power calculation unit 2109 and step S2109 are not required. Alternatively, d may be a constant or a random number, and integers a, b, a ′, and b ′ that satisfy d = a′a + b′b may be selected in step S2101. Alternatively, d = a′a + b′b may be calculated in step S2115. Alternatively, in step S2101, the integer selection unit 2112 may select integers a, b, a ′, and b ′ and calculate d = a′a + b′b. Alternatively, the integer selection unit 2102 may calculate d = a′a + b′b at any time after step S2102 and before step S2115. The final calculation unit 2112 may output (u b ′ v a ′ ) 1 / d when d ≠ 0. If d = 0, the process may end with an error. If d = 0, at least a part of the integers a, b, a ′, b ′ is reselected in step S2101 and the process is repeated. Good. Also, a ′ and b ′ may be selected at any time point before a ′ and b ′ are required for the calculation.
 <その他の変形例等>
 なお、本発明は上述の実施の形態に限定されるものではない。例えば、特開2012-237881、特開2012-220834、特開2012-220814、および特開2012-151756等の各実施形態の自己訂正技術の群を上述の半群に置換した形態であってもよい。例えば、セキュリティシステムが、さらに、復号サービス提供装置13で復号サービスの提供を受けた利用者のリストおよび復号結果を含むログを保存する履歴保存装置を有してもよい。各実施形態の構成では、利用者がたとえ復号演算サービスを繰り返し用いたとしても秘密鍵を得ることは困難である。そのため、当該秘密鍵を用いて得られる復号結果はすべて復号サービス提供装置13から出力されたものである。よって、例えば復号結果が漏洩した場合に、当該履歴保存装置に保存された利用者のリストやログを検証することで、その漏洩経路を追跡するための情報を得ることができる。また、上記の各実施形態では半群Hの位数がZの位数と同じqであった。しかしながら、半群Hの位数がqよりも大きくてもよいし、小さくてもよい。また暗号方式によっては半群Hが可換でなくてもよい。 <Other variations, etc.>
The present invention is not limited to the embodiment described above. For example, the self-correction technique group of each embodiment such as JP2012-237881, JP2012-220835, JP2012-220814, and JP2012-151756 may be replaced with the above-mentioned semi-group. Good. For example, the security system may further include a history storage device that stores a list including a list of users who have been provided with the decryption service by the decryption service providing device 13 and a decryption result. In the configuration of each embodiment, it is difficult to obtain a secret key even if the user repeatedly uses the decryption operation service. Therefore, all the decryption results obtained using the secret key are those output from the decryption service providing apparatus 13. Therefore, for example, when a decoding result leaks, information for tracking the leaked path can be obtained by verifying a list or log of users stored in the history storage device. In the embodiments described above order of the Hangun H were the same q and order of the Z q. However, the order of the half group H may be larger or smaller than q. Depending on the encryption method, the half group H may not be commutative.
 上述の各種の処理は、記載に従って時系列に実行されるのみならず、処理を実行する装置の処理能力あるいは必要に応じて並列的にあるいは個別に実行されてもよい。その他、本発明の趣旨を逸脱しない範囲で適宜変更が可能であることはいうまでもない。 The various processes described above are not only executed in time series in accordance with the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.
 上述の構成をCPU等のハードウェアプロセッサやRAM等のメモリ等を備えたコンピュータによって実現する場合、各装置が有すべき機能の処理内容はプログラムによって記述される。このプログラムをコンピュータで実行することにより、上記処理機能がコンピュータ上で実現される。この処理内容を記述したプログラムは、コンピュータで読み取り可能な記録媒体に記録しておくことができる。コンピュータで読み取り可能な記録媒体の例は、非一時的な(non-transitory)記録媒体である。このような記録媒体の例は、磁気記録装置、光ディスク、光磁気記録媒体、半導体メモリ等である。 When the above-described configuration is realized by a computer having a hardware processor such as a CPU or a memory such as a RAM, the processing contents of functions that each device should have are described by a program. By executing this program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.
 このプログラムの流通は、例えば、そのプログラムを記録したDVD、CD-ROM等の可搬型記録媒体を販売、譲渡、貸与等することによって行う。さらに、このプログラムをサーバコンピュータの記憶装置に格納しておき、ネットワークを介して、サーバコンピュータから他のコンピュータにそのプログラムを転送することにより、このプログラムを流通させる構成としてもよい。 This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
 このようなプログラムを実行するコンピュータは、例えば、まず、可搬型記録媒体に記録されたプログラムもしくはサーバコンピュータから転送されたプログラムを、一旦、自己の記憶装置に格納する。処理の実行時、このコンピュータは、自己の記録装置に格納されたプログラムを読み取り、読み取ったプログラムに従った処理を実行する。このプログラムの別の実行形態として、コンピュータが可搬型記録媒体から直接プログラムを読み取り、そのプログラムに従った処理を実行することとしてもよく、さらに、このコンピュータにサーバコンピュータからプログラムが転送されるたびに、逐次、受け取ったプログラムに従った処理を実行することとしてもよい。サーバコンピュータから、このコンピュータへのプログラムの転送は行わず、その実行指示と結果取得のみによって処理機能を実現する、いわゆるASP(Application Service Provider)型のサービスによって、上述の処理を実行する構成としてもよい。 For example, a computer that executes such a program first stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads a program stored in its own recording device and executes a process according to the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer. The processing according to the received program may be executed sequentially. The above-described processing may be executed by a so-called ASP (Application Service Provider) type service that does not transfer a program from the server computer to the computer but implements a processing function only by the execution instruction and result acquisition. Good.
 上記実施形態では、コンピュータ上で所定のプログラムを実行させて本装置の処理機能が実現されたが、これらの処理機能の少なくとも一部が専用または汎用のハードウェアで実現されてもよい。 In the above embodiment, the processing functions of the apparatus are realized by executing a predetermined program on a computer, but at least a part of these processing functions may be realized by dedicated or general-purpose hardware.
1,2,3 セキュリティシステム
11 暗号化装置
12,321 処理装置
13,332 復号サービス提供装置
24 設定装置
25 安全性評価装置 1, 2, 3 Security system 11 Encryption device 12,321 Processing device 13,332 Decryption service providing device 24 Setting device 25 Safety evaluation device

Claims (14)

  1.  元の位数の算出が計算量的に困難な半群上のElGamal暗号方式に則った秘密鍵を保持する記憶部と、
     前記ElGamal暗号方式に則った暗号文に対応する情報が入力される入力部と、
     前記秘密鍵を用い、前記ElGamal暗号方式に則って前記暗号文に対応する情報を復号して、前記暗号文の復号結果に対応する情報を得る復号部と、
     前記復号結果に対応する情報を出力する出力部と、
     を有する復号サービス提供装置。     A storage unit that holds a secret key in accordance with the ElGamal cryptosystem on the semi-group where calculation of the original order is computationally difficult,
    An input unit for inputting information corresponding to ciphertext in accordance with the ElGamal encryption method;
    Using the secret key, decrypting information corresponding to the ciphertext in accordance with the ElGamal encryption method, and obtaining a information corresponding to the decryption result of the ciphertext;
    An output unit for outputting information corresponding to the decoding result;
    An apparatus for providing a decryption service.
  2.  請求項1の復号サービス提供装置であって、
     前記秘密鍵がsであり、前記半群がHであり、前記暗号文が前記半群Hの元c,c∈Hを含み、前記復号結果がc・c ∈Hである、復号サービス提供装置。     The decryption service providing apparatus according to claim 1,
    The secret key is s, the semigroup is H, the ciphertext includes elements c 1 and c 2 εH of the semigroup H, and the decryption result is c 1 · c 2 s εH Decoding service providing device.
  3.  請求項1または2の復号サービス提供装置であって、
     G,Hが前記半群、f(x)が前記ElGamal暗号方式に則って前記半群Hの元である前記暗号文xを特定の秘密鍵で復号して前記半群Gの元を得るための復号関数、X1,X2が前記半群Gに値を持つ確率変数、x1が確率変数X1の実現値、x2が確率変数X2の実現値、前記暗号文に対応する情報が、前記半群Hの元である、第一入力情報τ1および第二入力情報τ2であり、
     前記復号部は、
     前記第一入力情報τ1を用いてf(τ1)を正しく計算可能であり、得られた計算結果を第一出力情報z1とし、
     前記第二入力情報τ2を用いてf(τ2)を正しく計算可能であり、得られた計算結果を第二出力情報z2とし、
     前記復号結果に対応する情報は、前記第一出力情報z1および前記第一出力情報z1を含む、復号サービス提供装置。     The decryption service providing apparatus according to claim 1 or 2,
    In order to obtain the element of the half group G by decrypting the ciphertext x which is an element of the half group H according to the ElGamal cryptosystem with a specific secret key, where G and H are the half group, and f (x) is the ElGamal cryptosystem , X 1 , X 2 is a random variable having a value in the semigroup G, x 1 is a real value of the random variable X 1 , x 2 is a real value of the random variable X 2 , information corresponding to the ciphertext Are the first input information τ 1 and the second input information τ 2 that are elements of the half group H,
    The decoding unit
    F (τ 1 ) can be correctly calculated using the first input information τ 1 , and the obtained calculation result is defined as first output information z 1 .
    F (τ 2 ) can be correctly calculated using the second input information τ 2 , and the obtained calculation result is set as second output information z 2 .
    The decryption service providing apparatus, wherein the information corresponding to the decryption result includes the first output information z 1 and the first output information z 1 .
  4.  G,Hが元の位数の算出が計算量的に困難な半群、f(x)がElGamal暗号方式に則って前記半群Hの元である暗号文xを特定の秘密鍵で復号して前記半群Gの元を得るための復号関数、X1,X2が前記半群Gに値を持つ確率変数、x1が確率変数X1の実現値、x2が確率変数X2の実現値、a,b,a’,b’が整数であり、d≠0であり、d=a’a+b’bであり、
     計算結果u=f(x)b1を生成する第一計算部と、
     計算結果v=f(x)a2を生成する第二計算部と、
     前記計算結果u及びvがua=vを満たす場合に、(ub’a’1/dを出力する最終計算部と、
     を有する処理装置。     Decipher the ciphertext x that is an element of the half group H according to the ElGamal cryptosystem with a specific secret key, where G and H are computationally difficult to calculate the original order, and f (x) A decoding function for obtaining elements of the semigroup G, X 1 and X 2 are random variables having values in the semigroup G, x 1 is an actual value of the random variable X 1 , and x 2 is a random variable X 2 Realized values a, b, a ′, b ′ are integers, d ≠ 0, d = a′a + b′b,
    A first calculation unit for generating a calculation result u = f (x) b x 1 ;
    A second calculation unit for generating a calculation result v = f (x) a x 2 ;
    A final calculation unit that outputs (u b ′ v a ′ ) 1 / d when the calculation results u and v satisfy u a = v b ;
    A processing apparatus.
  5.  半群上のElGamal暗号方式に則った秘密鍵を保持し、前記ElGamal暗号方式に則った暗号文に対応する情報が入力され、前記秘密鍵を用いて前記ElGamal暗号方式に則って前記暗号文に対応する情報を復号して得られる、前記暗号文の復号結果に対応する情報を出力する復号サービス提供装置、で使用される前記半群の元の位数を算出することの計算量的な困難性または容易性を判定する判定部と、
     前記判定部での判定結果に基づいて前記復号サービス提供装置の安全性を評価する評価部と、
     を有する安全性評価装置。     Holds a secret key conforming to the ElGamal cryptosystem on the semi-group, and information corresponding to the ciphertext conforming to the ElGamal cryptosystem is input, and the ciphertext is conformed to the ElGamal cryptosystem using the secret key. Difficulty in calculating the original order of the half group used in the decryption service providing apparatus that outputs information corresponding to the decryption result of the ciphertext obtained by decrypting the corresponding information A determination unit for determining the performance or ease;
    An evaluation unit that evaluates the safety of the decryption service providing device based on a determination result in the determination unit;
    A safety evaluation device.
  6.  請求項5の安全性評価装置であって、
     前記秘密鍵がsであり、前記半群がHであり、前記暗号文が前記半群Hの元c,c∈Hを含み、前記復号結果がc・c ∈Hである、
     ことを特徴とする安全性評価装置。     The safety evaluation device according to claim 5,
    The secret key is s, the semigroup is H, the ciphertext includes elements c 1 and c 2 εH of the semigroup H, and the decryption result is c 1 · c 2 s εH ,
    A safety evaluation device characterized by that.
  7.  元の位数の算出が計算量的に困難な半群上のElGamal暗号方式に則った暗号文に対応する情報が入力される入力ステップと、
     前記ElGamal暗号方式に則った秘密鍵を用い、前記ElGamal暗号方式に則って前記暗号文に対応する情報を復号して、前記暗号文の復号結果に対応する情報を得る復号ステップと、
     前記復号結果に対応する情報を出力する出力ステップと、
     を有する復号サービス提供方法。     An input step in which information corresponding to ciphertext conforming to the ElGamal cryptosystem on the semi-group where calculation of the original order is computationally difficult is input,
    Using a secret key conforming to the ElGamal encryption method, decrypting information corresponding to the ciphertext according to the ElGamal encryption method, and obtaining a information corresponding to a decryption result of the ciphertext;
    An output step of outputting information corresponding to the decoding result;
    A method for providing a decryption service.
  8.  請求項7の復号サービス提供方法であって、
     前記秘密鍵がsであり、前記半群がHであり、前記暗号文が前記半群Hの元c,c∈Hを含み、前記復号結果がc・c ∈Hである、復号サービス提供方法。     The decryption service providing method according to claim 7, comprising:
    The secret key is s, the semigroup is H, the ciphertext includes elements c 1 and c 2 εH of the semigroup H, and the decryption result is c 1 · c 2 s εH Decoding service providing method.
  9.  請求項7または8の復号サービス提供方法であって、
     G,Hが前記半群、f(x)が前記ElGamal暗号方式に則って前記半群Hの元である前記暗号文xを特定の秘密鍵で復号して前記半群Gの元を得るための復号関数、X1,X2が前記半群Gに値を持つ確率変数、x1が確率変数X1の実現値、x2が確率変数X2の実現値、前記暗号文に対応する情報が、前記半群Hの元である、第一入力情報τ1および第二入力情報τ2であり、
     前記復号ステップは、
     前記第一入力情報τ1を用いてf(τ1)を正しく計算可能であり、得られた計算結果を第一出力情報z1とし、
     前記第二入力情報τ2を用いてf(τ2)を正しく計算可能であり、得られた計算結果を第二出力情報z2とし、
     前記復号結果に対応する情報は、前記第一出力情報z1および前記第一出力情報z1を含む、復号サービス提供方法。     The decryption service providing method according to claim 7 or 8, comprising:
    In order to obtain the element of the half group G by decrypting the ciphertext x which is an element of the half group H according to the ElGamal cryptosystem with a specific secret key, where G and H are the half group, and f (x) is the ElGamal cryptosystem , X 1 , X 2 is a random variable having a value in the semigroup G, x 1 is a real value of the random variable X 1 , x 2 is a real value of the random variable X 2 , information corresponding to the ciphertext Are the first input information τ 1 and the second input information τ 2 that are elements of the half group H,
    The decoding step includes
    F (τ 1 ) can be correctly calculated using the first input information τ 1 , and the obtained calculation result is defined as first output information z 1 .
    F (τ 2 ) can be correctly calculated using the second input information τ 2 , and the obtained calculation result is set as second output information z 2 .
    The decoding service providing method, wherein the information corresponding to the decoding result includes the first output information z 1 and the first output information z 1 .
  10.  G,Hが元の位数の算出が計算量的に困難な半群、f(x)がElGamal暗号方式に則って前記半群Hの元である暗号文xを特定の秘密鍵で復号して前記半群Gの元を得るための復号関数、X1,X2が前記半群Gに値を持つ確率変数、x1が確率変数X1の実現値、x2が確率変数X2の実現値、a,b,a’,b’が整数であり、d≠0であり、d=a’a+b’bであり、
     計算結果u=f(x)b1を生成する第一計算ステップと、
     計算結果v=f(x)a2を生成する第二計算ステップと、
     前記計算結果u及びvがua=vを満たす場合に、(ub’a’1/dを出力する最終計算ステップと、
     を有する処理方法。     Decipher the ciphertext x that is an element of the half group H according to the ElGamal cryptosystem with a specific secret key, where G and H are computationally difficult to calculate the original order, and f (x) A decoding function for obtaining elements of the semigroup G, X 1 and X 2 are random variables having values in the semigroup G, x 1 is an actual value of the random variable X 1 , and x 2 is a random variable X 2 Realized values a, b, a ′, b ′ are integers, d ≠ 0, d = a′a + b′b,
    A first calculation step for generating a calculation result u = f (x) b x 1 ;
    A second calculation step for generating a calculation result v = f (x) a x 2 ;
    A final calculation step of outputting (u b ′ v a ′ ) 1 / d when the calculation results u and v satisfy u a = v b ;
    A processing method comprising:
  11.  半群上のElGamal暗号方式に則った秘密鍵を保持し、前記ElGamal暗号方式に則った暗号文が入力され、前記秘密鍵を用いて前記ElGamal暗号方式に則って前記暗号文を復号して得られる復号結果を出力する復号サービス提供方法、で使用される前記半群の元の位数を算出することの計算量的な困難性または容易性を判定する判定ステップと、
     前記判定ステップでの判定結果に基づいて前記復号サービス提供方法の安全性を評価する評価ステップと、
     を有する安全性評価方法。     A secret key conforming to the ElGamal encryption scheme on the semi-group is held, and an encrypted text conforming to the ElGamal encryption scheme is input, and the ciphertext is decrypted according to the ElGamal encryption scheme using the secret key. A determination step for determining the computational difficulty or ease of calculating the original order of the semi-group used in the decoding service providing method for outputting the decoded decoding result;
    An evaluation step for evaluating the security of the decryption service providing method based on the determination result in the determination step;
    A safety evaluation method.
  12.  請求項11の安全性評価方法であって、
     前記秘密鍵がsであり、前記半群がHであり、前記暗号文が前記半群Hの元c,c∈Hを含み、前記復号結果がc・c ∈Hである、
     ことを特徴とする安全性評価方法。     The safety evaluation method according to claim 11, comprising:
    The secret key is s, the semigroup is H, the ciphertext includes elements c 1 and c 2 εH of the semigroup H, and the decryption result is c 1 · c 2 s εH ,
    A safety evaluation method characterized by that.
  13.  請求項1から3の何れかの復号サービス提供装置、請求項4の処理装置、または、請求項5もしくは6の復号サービス提供装置としてコンピュータを機能させるためのプログラム。 A program for causing a computer to function as the decryption service providing device according to any one of claims 1 to 3, the processing device according to claim 4, or the decryption service providing device according to claim 5 or 6.
  14.  請求項1から3の何れかの復号サービス提供装置、請求項4の処理装置、または、請求項5もしくは6の復号サービス提供装置としてコンピュータを機能させるためのプログラムを格納したコンピュータ読み取り可能な記録媒体。 A computer-readable recording medium storing a program for causing a computer to function as the decryption service providing device according to claim 1, the processing device according to claim 4, or the decryption service providing device according to claim 5 or 6. .
PCT/JP2014/050574 2013-01-16 2014-01-15 Decryption-service provision device, processing device, safety evaluation device, program, and recording medium WO2014112523A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP14741137.5A EP2947813B1 (en) 2013-01-16 2014-01-15 Decryption service providing device, processing device, safety evaluation device, program, and recording medium
US14/760,636 US9735963B2 (en) 2013-01-16 2014-01-15 Decryption service providing device, processing device, safety evaluation device, program, and recording medium
CN201480005006.6A CN104919753B (en) 2013-01-16 2014-01-15 Decrypt service providing apparatus, processing unit, safety evaluatio device, program and recording medium
JP2014557480A JP6006809B2 (en) 2013-01-16 2014-01-15 Decoding service providing apparatus, processing apparatus, safety evaluation apparatus, program, and recording medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013-005282 2013-01-16
JP2013005282 2013-01-16

Publications (1)

Publication Number Publication Date
WO2014112523A1 true WO2014112523A1 (en) 2014-07-24

Family

ID=51209612

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/050574 WO2014112523A1 (en) 2013-01-16 2014-01-15 Decryption-service provision device, processing device, safety evaluation device, program, and recording medium

Country Status (5)

Country Link
US (1) US9735963B2 (en)
EP (1) EP2947813B1 (en)
JP (1) JP6006809B2 (en)
CN (1) CN104919753B (en)
WO (1) WO2014112523A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5491638B2 (en) * 2010-10-26 2014-05-14 日本電信電話株式会社 Proxy calculation system, calculation device, capability providing device, proxy calculation method, capability providing method, program, and recording medium
US9842086B2 (en) 2013-07-18 2017-12-12 Nippon Telegraph And Telephone Corporation Calculation device, calculation method, and program
JP2018146766A (en) * 2017-03-06 2018-09-20 キヤノン株式会社 Scalar multiple arithmetic device, scalar multiple arithmetic method and program
CN112436938B (en) * 2020-12-04 2022-12-13 矩阵元技术(深圳)有限公司 Digital signature generation method and device and server

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10301491A (en) * 1997-04-28 1998-11-13 Ibm Japan Ltd Cipher communication method and system therefor
WO2011086992A1 (en) 2010-01-12 2011-07-21 日本電信電話株式会社 Representative calculation system, method, request device, program and recording medium
WO2012057134A1 (en) 2010-10-26 2012-05-03 日本電信電話株式会社 Substitution calculation system, calculation apparatus, capability providing apparatus, substitution calculation method, capability providing method, program, and recording medium
JP2012151756A (en) 2011-01-20 2012-08-09 Nippon Telegr & Teleph Corp <Ntt> Decryption system, key device, decryption method, and program
JP2012220834A (en) 2011-04-12 2012-11-12 Nippon Telegr & Teleph Corp <Ntt> Re-encryption system, re-encryption device, re-encryption method, capability providing method, and program
JP2012220814A (en) 2011-04-12 2012-11-12 Nippon Telegr & Teleph Corp <Ntt> Decryption control system, decryption capability providing device, decryption control method, decryption capability providing method, and program
JP2012237881A (en) 2011-05-12 2012-12-06 Nippon Telegr & Teleph Corp <Ntt> Information provision system, mediation device, information provision device, mediation method, information provision method, and program

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7266847B2 (en) * 2003-09-25 2007-09-04 Voltage Security, Inc. Secure message system with remote decryption service
FR2877453A1 (en) * 2004-11-04 2006-05-05 France Telecom SECURE DELEGATION METHOD OF CALCULATING A BILINE APPLICATION
CN101079701B (en) * 2006-05-22 2011-02-02 北京华大信安科技有限公司 Highly secure ellipse curve encryption and decryption method and device
KR101399357B1 (en) * 2007-05-17 2014-05-26 삼성전자주식회사 Method for installing software for using contents and apparatus thereof
CN101626364A (en) * 2008-07-08 2010-01-13 赵运磊 Method for authentication for resisting secrete data disclosure and key exchange based on passwords
CN101645870B (en) * 2008-08-07 2013-04-17 赵运磊 Method for exchanging secret key effectively and fairly
JP2009193024A (en) * 2008-02-18 2009-08-27 Toshiba Corp Decryption processing apparatus, encryption processing system, decryption processing method and program
WO2009153519A1 (en) * 2008-06-16 2009-12-23 France Telecom Method for authenticating an entity by a verifier
CN101677270A (en) * 2008-09-19 2010-03-24 电子科技大学 Approved safe key stream generator based on multivariate quadratic equation
CN101714919B (en) * 2009-10-29 2012-05-30 电子科技大学 Forward-secure digital signature algorithm based on RSA algorithm
CN101860796B (en) * 2010-05-14 2012-10-24 南京邮电大学 Network multicast information encryption method against conspiracy attack
CN101917410B (en) * 2010-07-26 2013-03-13 中国科学院计算技术研究所 Method for verifying unipolarity of information flow for authorization system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10301491A (en) * 1997-04-28 1998-11-13 Ibm Japan Ltd Cipher communication method and system therefor
WO2011086992A1 (en) 2010-01-12 2011-07-21 日本電信電話株式会社 Representative calculation system, method, request device, program and recording medium
WO2012057134A1 (en) 2010-10-26 2012-05-03 日本電信電話株式会社 Substitution calculation system, calculation apparatus, capability providing apparatus, substitution calculation method, capability providing method, program, and recording medium
JP2012151756A (en) 2011-01-20 2012-08-09 Nippon Telegr & Teleph Corp <Ntt> Decryption system, key device, decryption method, and program
JP2012220834A (en) 2011-04-12 2012-11-12 Nippon Telegr & Teleph Corp <Ntt> Re-encryption system, re-encryption device, re-encryption method, capability providing method, and program
JP2012220814A (en) 2011-04-12 2012-11-12 Nippon Telegr & Teleph Corp <Ntt> Decryption control system, decryption capability providing device, decryption control method, decryption capability providing method, and program
JP2012237881A (en) 2011-05-12 2012-12-06 Nippon Telegr & Teleph Corp <Ntt> Information provision system, mediation device, information provision device, mediation method, information provision method, and program

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
"CRYPTO", vol. 84, SPRINGER-VERLAG, pages: 10 - 18
BONEH, D. ET AL.: "A Method for Fast Revocation of Public Key Certificates and Security Capabilities", PROCEEDINGS OF THE 10TH USENIX SECURITY SYMPOSIUM, THE INTERNET, 16 August 2001 (2001-08-16), XP061010992, Retrieved from the Internet <URL:https://www.usenix.org/legacy/publications/library/proceedings/sec01/technical.html> [retrieved on 20131213] *
G. MILLER: "Riemann's hypothesis and tests for primality", JOURNAL OF COMPUTER AND SYSTEM SCIENCE, vol. 13, 1976, pages 300 - 317, XP055129947, DOI: doi:10.1016/S0022-0000(76)80043-8
LENSTRA JR., H. W.: "Annals of Mathematics", vol. 126, 1987, article "Factoring integers with elliptic curves", pages: 649 - 673
See also references of EP2947813A4 *
TAHER ELGAMAL: "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE TRANSACTIONS ON INFORMATION THEORY, vol. IT-31, no. 4, 1985, pages 469 - 472
TSUYOSHI YAMAMOTO ET AL.: "Cloud-gata Fukugo Service kara Kagi o Chushutsu suru Koto wa Kano ka?", 2013 NEN SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY KOEN RONBUNSHU, 22 January 2013 (2013-01-22), pages 1 - 3, XP008180084 *

Also Published As

Publication number Publication date
EP2947813B1 (en) 2020-06-24
CN104919753B (en) 2018-06-05
JPWO2014112523A1 (en) 2017-01-19
US9735963B2 (en) 2017-08-15
JP6006809B2 (en) 2016-10-12
EP2947813A4 (en) 2016-11-09
EP2947813A1 (en) 2015-11-25
US20150358162A1 (en) 2015-12-10
CN104919753A (en) 2015-09-16

Similar Documents

Publication Publication Date Title
Liu et al. Efficient and privacy-preserving outsourced calculation of rational numbers
US10361841B2 (en) Proxy computing system, computing apparatus, capability providing apparatus, proxy computing method, capability providing method, program, and recording medium
JP6763378B2 (en) Cryptographic information creation device, cryptographic information creation method, cryptographic information creation program, and verification system
JP5885840B2 (en) Secret sharing system, data sharing device, distributed data conversion device, secret sharing method, and program
US7787623B2 (en) Key generating apparatus, program, and method
US20050271203A1 (en) Encryption apparatus, decryption apparatus, key generation apparatus, program, and method
EP3959839A1 (en) Methods and systems for privacy preserving evaluation of machine learning models
Jayapandian et al. Secure and efficient online data storage and sharing over cloud environment using probabilistic with homomorphic encryption
JP5852518B2 (en) Authentication encryption device, authentication decryption device, and program
JP6006809B2 (en) Decoding service providing apparatus, processing apparatus, safety evaluation apparatus, program, and recording medium
JP5972181B2 (en) Tamper detection device, tamper detection method, and program
EP3001401A1 (en) Decoding device, decoding ability providing device, method thereof, and program
JP2013243441A (en) Secret dispersion system, data dispersion device, data restoration device, secret dispersion method, and program
JP6294882B2 (en) Key storage device, key storage method, and program thereof
JP5860420B2 (en) Safety evaluation device and program
JP6528560B2 (en) Index calculation system, index calculation method, index calculation program, and collation system
CN116915407A (en) Electronic public certificate verification method and system based on block chain
JP5752751B2 (en) Decryption system, terminal device, signature system, method thereof, and program
JP2014137562A (en) Calculation system, calculation device, and program
Balamurugan et al. Enhancing privacy in cloud using Attribute Based Encryption
JP2010245683A (en) Cryptographic system, key generator, encryption device, decryption device, and encryption processing method
Singh et al. An Efficient and Secure Protocol for Ensuring Data Storage Security in Cloud Computing Using ECC

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14741137

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014557480

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 14760636

Country of ref document: US

Ref document number: 2014741137

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE